From dmercurio at ccgsecurity.com Mon Dec 3 13:54:38 2001 From: dmercurio at ccgsecurity.com (Dante Mercurio) Date: Mon, 3 Dec 2001 13:54:38 -0500 Subject: [vpn] VPN Presentation Message-ID: <4694DCBD1CE71F43B7E9E4DE82F239E9016F78@ct2001.webcti.local> I recently gave a presentation on the effect of home VPN's on security policies to corporate management at a potential customer site. I am making the presentation available to all who would like to use it. (Giving credit where credit to me of course.) http://www.ccgsecurity.com and click on the presentation on the middle of the screen. If you would like a .ppt version, email me. Keep in mind, this presentation is not technical. It was written for executive management to explain the necessity of including home desktops in security policy when using VPN's to the office. You'd think that was obvious, but...... =) Thanks, M. Dante Mercurio, CCNA, MCSE+I, CCSA Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com dmercurio at ccgsecurity.com > -----Original Message----- > From: Meador, Brandon J [mailto:Brandon.Meador at pnl.gov] > Sent: Wednesday, November 28, 2001 5:26 PM > To: 'vpn at securityfocus.com' > Subject: [vpn] My VPN Problem > > > hello, > > i am having a problem adding a computer to a > domain through > a VPN. it sends the request and then nothing happens. i have > checked the > logs and it turns out the computer is hitting the box and > accepting it but > it is not sending the packets back through the VPN it seems > to me that it is > going through the internet or some other way. any help with > this problem > would be great. - Brandon > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From Conferences at marcusevansch.com Mon Dec 3 16:17:33 2001 From: Conferences at marcusevansch.com (Conferences) Date: Mon, 3 Dec 2001 15:17:33 -0600 Subject: [vpn] Internetworking VPN Message-ID: <90AAAE96E752D5118621009027855435449E0D@CHIBDC01> > > Internetworking VPNs: January 29-31, 2002 - Washington, DC > Leading providers are establishing their market position through > performance-driven services, offering VPNs that are scalable, secure and > reliable. This technical gathering focuses on critical issues surrounding > VPN creation and deployment. Special emphasis will be placed on strategies > for Layer 2 and Layer 3 VPN provisioning, as well as IPsec traffic > management and security enhancements. Information: > www.IT-TelecomSolutions.com or conferences at marcusevansch.com > VPN is sponsored by SecurityFocus.com From joern at f-secure.com Tue Dec 4 04:13:46 2001 From: joern at f-secure.com (Joern Sierwald) Date: Tue, 04 Dec 2001 10:13:46 +0100 Subject: [vpn] Re: Problem with Cisco VPN concentrator In-Reply-To: <89680B404BA1DD419E6D93B28B41899B032335@01mail.nomadix.com> Message-ID: <5.1.0.14.0.20011204100610.020fcbf0@dfintra.f-secure.com> At 16:58 03.12.2001 -0800, Bikramjit Singh wrote: >We have developed kind of a VPN masquerade feature for our USG (Universal >Subscriber Gateway) product to let ISAKMP and ESP connections passthrough >from clients behind our gateway to respective VPN servers. We have taken >tips to do accurate routing for inbound traffic from the Linux VPN >Masquerade patch code. We are facing a weird problem with the Cisco VPN >Concentrator series 3000 ( and maybe all Cisco VPN servers). > >Since we are doing PAT ( port address translation) multiple subscribers >trying to connect to the same Cisco VPN concentrator are unable to do that >since Cisco can see only the our USG's IP address and the same port number >for ISAKMP (UDP/500) traffic from multiple subscribers. This way Cisco >keeps the most recent connection only and the earlier clients connection >gets dropped. Other devices (e.g Nortel Contivity) do not show such >behaviour and can keep simultaneous sessions even though coming apparently >( USG's IP address) from the same client ( i guess by differentiating them >on the basis of the ISAKMP initiator cookies). > >Cisco accepts the issue with PAT in its release notes and says that it >will accept multiple connection from the same client (apparently - >although in our case they are multiple clients being PATed on the same IP >address and same port) only if they have different source port numbers. > >Now the question. We want to support both Cisco and non-Cisco connection >going through are box without the user seeing any disconnections. Cisco >will work with normal PAT ( src ip/src port <---> USG IP/ assigned src >port) But others ( e.g Nortel) don't, which require both destination and >source port to be 500. Is there a way to "probe" the Cisco concentrator >that will till us that it is a "Cisco" and so we should do normal PAT >otherwise we should do our normal ISAKMP handling ( keeping track of cookies)? > >Anybody has any other solution/idea for it? > >thanks > >-Bik > >------------------------------------------------------------------------------------------ > >Bik Singh 818-575-2518 (Off) >Research Scientist 818-597-1502 (Fax) >Product Development 31355 Agoura Road >Nomadix Westlake Village, CA 91361 > My comment is that our product VPN+ 5.4 Gateway behaves very much like the Concentrator in this case. The software maintain a list of "currently connected remote clients" and the primary index for the list is (remote IP address;UDP port number). So, having multiple clients mapped to the same (IP address;port number) pair is a bad idea, the gateway will delete session all the time. I just wonder... All PNAT implementations I've seen choose a random port (per UDP "session") for clients. The PNAT I'm exposed to every day is a FW-1. And it translates my UDP-500 IKE packets to src-address 712 or whatever port was free. And this is the behaviour I would expect from ANY PNAT box! If the contivity requires port 500 as src, I'd call that a bug. I'm aware that this won't help much, sorry. J?rn Sierwald VPN is sponsored by SecurityFocus.com From TomM at spectrum-systems.com Wed Dec 5 10:24:11 2001 From: TomM at spectrum-systems.com (Tom McHugh) Date: Wed, 5 Dec 2001 10:24:11 -0500 Subject: [vpn] ProhibitIpSec registry key and NS5 Message-ID: <2A0DB5123A51874C82699788F0985ED2064886@sith.spectrum-systems.com> NetScreen Remote isn't involved in any L2TP communications. It may be that your L2TP configuration is set up to connect to your L2TP server's external IP address. If that's the case, NSR will never see the request for the VPN tunnel to be formed. Hope that helps! Tom McHugh, Senior Systems Engineer mailto:tomm at spectrum-systems.com Spectrum Systems, Inc. "Today's Technology--Solutions for Tomorrow" 11320 Random Hills Road, Suite 630 Fairfax, VA 22030-6001 703-591-7400 x218 703-591-9780 (Fax) http://www.spectrum-systems.com/ Concerned about the security of your network? Spectrum Systems' Network Security products and services can take the worry out of protecting your network. Call us at 800-929-3781 or visit us at http://www.spectrum-systems.com to learn more. > -----Original Message----- > From: Thierry Blanchard [mailto:thierry_b at ifrance.com] > Sent: Tuesday, December 04, 2001 6:53 PM > To: VPN (E-mail) > Subject: [vpn] ProhibitIpSec registry key and NS5 > > > > When setting: > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Pa > rameters\Prohi > bitIpSec = 1 > my L2TP works but without encryption (no IpSec). > > When setting: > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Pa > rameters\Prohi > bitIpSec = 0 > I have an "Error 678 : There is no answer" on my W2K client. > Even if I check "Require Encryption" in the DUN settings, I > keep getting the > same error. > The Log Viewer of my Netscreen-Remote is not logging any > activity. The log > file on the NS5 firewall is also empy. > > Any idea? > > Thanks, > Thierry. > > > ______________________________________________________________ > ________________ > ifrance.com, l'email gratuit le plus complet de l'Internet ! > vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... > http://www.ifrance.com/_reloc/email.emailif > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From thierry_b at ifrance.com Wed Dec 5 13:44:23 2001 From: thierry_b at ifrance.com (Thierry Blanchard) Date: Wed, 5 Dec 2001 10:44:23 -0800 Subject: [vpn] ProhibitIpSec registry key and NS5 In-Reply-To: <2A0DB5123A51874C82699788F0985ED2064886@sith.spectrum-systems.com> Message-ID: <000301c17dbc$dd663070$6402010a@thierry> You're right, I setup NSR to connect to the public IP address of my NS5XP device. Then, what should I put to the remote party IP address and should I use a Remote Gateway Tunnel Ip address? > -----Original Message----- > From: Tom McHugh [mailto:TomM at spectrum-systems.com] > Sent: Wednesday, December 05, 2001 7:24 AM > To: 'Thierry Blanchard'; VPN (E-mail) > Subject: RE: [vpn] ProhibitIpSec registry key and NS5 > > > NetScreen Remote isn't involved in any L2TP communications. > It may be that > your L2TP configuration is set up to connect to your L2TP > server's external > IP address. If that's the case, NSR will never see the > request for the VPN > tunnel to be formed. > > Hope that helps! > > Tom McHugh, Senior Systems Engineer > mailto:tomm at spectrum-systems.com > > Spectrum Systems, Inc. > "Today's Technology--Solutions for Tomorrow" > > 11320 Random Hills Road, Suite 630 > Fairfax, VA 22030-6001 > 703-591-7400 x218 > 703-591-9780 (Fax) > http://www.spectrum-systems.com/ > > Concerned about the security of your network? Spectrum > Systems' Network > Security products and services can take the worry out of > protecting your > network. Call us at 800-929-3781 or visit us at > http://www.spectrum-systems.com to learn more. > > > > -----Original Message----- > > From: Thierry Blanchard [mailto:thierry_b at ifrance.com] > > Sent: Tuesday, December 04, 2001 6:53 PM > > To: VPN (E-mail) > > Subject: [vpn] ProhibitIpSec registry key and NS5 > > > > > > > > When setting: > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Pa > > rameters\Prohi > > bitIpSec = 1 > > my L2TP works but without encryption (no IpSec). > > > > When setting: > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Pa > > rameters\Prohi > > bitIpSec = 0 > > I have an "Error 678 : There is no answer" on my W2K client. > > Even if I check "Require Encryption" in the DUN settings, I > > keep getting the > > same error. > > The Log Viewer of my Netscreen-Remote is not logging any > > activity. The log > > file on the NS5 firewall is also empy. > > > > Any idea? > > > > Thanks, > > Thierry. > > > > > > ______________________________________________________________ > > ________________ > > ifrance.com, l'email gratuit le plus complet de l'Internet ! > > vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... > > http://www.ifrance.com/_reloc/email.emailif > > > > > > > > VPN is sponsored by SecurityFocus.com > > ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif VPN is sponsored by SecurityFocus.com From brian_anon at hotmail.com Wed Dec 5 03:23:27 2001 From: brian_anon at hotmail.com (Brian E) Date: 5 Dec 2001 08:23:27 -0000 Subject: [vpn] Location of VPN? Message-ID: <20011205082327.11128.qmail@mail.securityfocus.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20011205/b908b144/attachment.txt From TomM at spectrum-systems.com Wed Dec 5 15:52:47 2001 From: TomM at spectrum-systems.com (Tom McHugh) Date: Wed, 5 Dec 2001 15:52:47 -0500 Subject: [vpn] ProhibitIpSec registry key and NS5 Message-ID: <2A0DB5123A51874C82699788F0985ED2064889@sith.spectrum-systems.com> Okay, now that I've read up on L2TP-over-IPSec a little more, I think I can make a reasonable suggestion: Read NetScreen's Concepts and Examples Guide! :^) It has some good doc on configuring your NS-5XP to act as an L2TP server, but the key is that the IPSec tunnel *and* the L2TP tunnel are configured to terminate at the NetScreen's *Untrust" interface IP. Also, the tunnel must be configured (on the 5XP itself) to be in Transport Mode. The remote party ID would be (for most of the configurations I've done) IP Subnet, with the subnet and netmask used at the NetScreen-5XP's trusted side (e.g.: 192.168.1.0/255.255.255.0). There's lots of doc on NetScreen website, including the C&E guide I mentioned above, and their searchable knowledgebase is pretty good, but make sure you use the option to search using *any* of the keywords (if you use the "all" option, you'll find it's a little ... um ... sub-optimal). Tom McHugh, Senior Systems Engineer mailto:tomm at spectrum-systems.com Spectrum Systems, Inc. "Today's Technology--Solutions for Tomorrow" 11320 Random Hills Road, Suite 630 Fairfax, VA 22030-6001 703-591-7400 x218 703-591-9780 (Fax) http://www.spectrum-systems.com/ Concerned about the security of your network? Spectrum Systems' Network Security products and services can take the worry out of protecting your network. Call us at 800-929-3781 or visit us at http://www.spectrum-systems.com to learn more. > -----Original Message----- > From: Thierry Blanchard [mailto:thierry_b at ifrance.com] > Sent: Wednesday, December 05, 2001 1:44 PM > To: VPN (E-mail) > Subject: RE: [vpn] ProhibitIpSec registry key and NS5 > > > You're right, I setup NSR to connect to the public IP address > of my NS5XP > device. > Then, what should I put to the remote party IP address and > should I use a > Remote Gateway Tunnel Ip address? > > > -----Original Message----- > > From: Tom McHugh [mailto:TomM at spectrum-systems.com] > > Sent: Wednesday, December 05, 2001 7:24 AM > > To: 'Thierry Blanchard'; VPN (E-mail) > > Subject: RE: [vpn] ProhibitIpSec registry key and NS5 > > > > > > NetScreen Remote isn't involved in any L2TP communications. > > It may be that > > your L2TP configuration is set up to connect to your L2TP > > server's external > > IP address. If that's the case, NSR will never see the > > request for the VPN > > tunnel to be formed. > > > > Hope that helps! > > > > Tom McHugh, Senior Systems Engineer > > mailto:tomm at spectrum-systems.com > > > > Spectrum Systems, Inc. > > "Today's Technology--Solutions for Tomorrow" > > > > 11320 Random Hills Road, Suite 630 > > Fairfax, VA 22030-6001 > > 703-591-7400 x218 > > 703-591-9780 (Fax) > > http://www.spectrum-systems.com/ > > > > Concerned about the security of your network? Spectrum > > Systems' Network > > Security products and services can take the worry out of > > protecting your > > network. Call us at 800-929-3781 or visit us at > > http://www.spectrum-systems.com to learn more. > > > > > > > -----Original Message----- > > > From: Thierry Blanchard [mailto:thierry_b at ifrance.com] > > > Sent: Tuesday, December 04, 2001 6:53 PM > > > To: VPN (E-mail) > > > Subject: [vpn] ProhibitIpSec registry key and NS5 > > > > > > > > > > > > When setting: > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Pa > > > rameters\Prohi > > > bitIpSec = 1 > > > my L2TP works but without encryption (no IpSec). > > > > > > When setting: > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Pa > > > rameters\Prohi > > > bitIpSec = 0 > > > I have an "Error 678 : There is no answer" on my W2K client. > > > Even if I check "Require Encryption" in the DUN settings, I > > > keep getting the > > > same error. > > > The Log Viewer of my Netscreen-Remote is not logging any > > > activity. The log > > > file on the NS5 firewall is also empy. > > > > > > Any idea? > > > > > > Thanks, > > > Thierry. > > > > > > > > > ______________________________________________________________ > > > ________________ > > > ifrance.com, l'email gratuit le plus complet de l'Internet ! > > > vos emails depuis un navigateur, en POP3, sur Minitel, > sur le WAP... > > > http://www.ifrance.com/_reloc/email.emailif > > > > > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > ______________________________________________________________ > ________________ > ifrance.com, l'email gratuit le plus complet de l'Internet ! > vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... > http://www.ifrance.com/_reloc/email.emailif > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From lisa at corecom.com Wed Dec 5 18:15:19 2001 From: lisa at corecom.com (Lisa Phifer) Date: Wed, 05 Dec 2001 18:15:19 -0500 Subject: [vpn] ProhibitIpSec registry key and NS5 In-Reply-To: <2A0DB5123A51874C82699788F0985ED2064889@sith.spectrum-syste ms.com> Message-ID: <4.2.0.58.20011205180602.00aa5a70@mail2.netreach.net> At 03:52 PM 12/5/2001 -0500, Tom McHugh wrote: >The remote party ID would be (for most of the configurations I've done) IP >Subnet, with the subnet and netmask used at the NetScreen-5XP's trusted side >(e.g.: 192.168.1.0/255.255.255.0). When NS-Remote is configured for tunnel mode, this is correct. But this is transport mode IPsec. The Remote Party ID should be the LNS (in this case, the NS's *untrusted* IP, not the trusted subnet). "Connect using Security Gateway" should be unchecked. My guess is that Thierry's NS-Remote policy is not correctly configured to direct UDP 1701 over IPsec transport mode to the NS5's untrusted IP, NS-Remote is disabled, or the NS5's untrusted IP is not being given to DUN. Lisa VPN is sponsored by SecurityFocus.com From crenner at dynalivery.com Thu Dec 6 18:00:51 2001 From: crenner at dynalivery.com (Chuck Renner) Date: Thu, 6 Dec 2001 17:00:51 -0600 Subject: [vpn] Cisco VPN 3.x client Message-ID: <1D5FFAF04EC5D31182CD00508B5502BD63F216@novac.dynalivery.com> First, a big "thank you" to those on the list that have given me a hand in the past. You've helped me over some big hurdles in getting a VPN working across my PIX. Hopefully, you'll be able to do the same this time. Here's what I have: * Cisco VPN 3.x client running on WinNT connecting to a PIX 506 * Everything is working nicely as far as connecting back into the LAN from a public network (except that pesky browse list...) * The only problem is connecting to sites outside of the LAN. In other words, I'm connected to my LAN via the VPN, and want to get to Yahoo's web site. Without opening up local LAN access in the Cisco client, I would need packets to go through my LAN's gateway. Can anyone nudge me in the right direction to get this to work? Thanks VPN is sponsored by SecurityFocus.com From sigmafour at hotmail.com Thu Dec 6 14:54:05 2001 From: sigmafour at hotmail.com (Thomas Moore) Date: 6 Dec 2001 19:54:05 -0000 Subject: [vpn] VPN and Domain rights Message-ID: <20011206195405.22098.qmail@mail.securityfocus.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20011206/a3b225ea/attachment.txt From velasco333 at yahoo.com Fri Dec 7 12:36:13 2001 From: velasco333 at yahoo.com (Jorge Luis Velasco) Date: Fri, 7 Dec 2001 09:36:13 -0800 (PST) Subject: [vpn] Newbee Message-ID: <20011207173613.21699.qmail@web11202.mail.yahoo.com> Hello All, Is there anyone who can tell me first hand what the requirements for setting up a vpn are? I have been reading some documents from microsoft and other sites and am overwhelmed by the details. I just need to set one up to connect my network here in Spain to the network in the US. If someone is not to busy and would be willing to volunteer his e-mail address so i can ask direct questions, this would be much appreciated. Thanks all in advance. Jorge __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com VPN is sponsored by SecurityFocus.com From dgillett at deepforest.org Fri Dec 7 16:27:27 2001 From: dgillett at deepforest.org (dgillett at deepforest.org) Date: Fri, 7 Dec 2001 13:27:27 -0800 Subject: [vpn] VPN and Domain rights In-Reply-To: <20011206195405.22098.qmail@mail.securityfocus.com> Message-ID: <3C10C3BF.26877.425F5FAF@localhost> > I cringe at allowing someone past my external PIX into the > concentrator and passing all the ports ( SMB, NetBIOS etc.) > through my internal PIX. Logically the VPN concentrator is my only > security device. Well, that's not quite true: (a) It's in the DMZ; therefore, traffic reaching it from the outside must conform to the rules of the "external PIX", which should only be allowing encapsulated tunnel traffic reach the concentrator. (b) You haven't specified a make and model, but the VPN concentrators I'm familiar with (Cisco 30xx) are *designed* to be a security device -- using them in that role isn't much of a risk. (c) If clients expect to access shares, etc, you're going to have to let them pass "SMB, NetBIOS etc." through the "internal PIX" anyway. You'd just stop forcing them to authenticate against Radius first -- and the pre-authentication traffic would be effectively proxied by the concentrator. (DMZs are usually implemented off a third..nth interface of a single firewall box, and so your reference to internal and external PIXes sounds a bit unusual. Is there some special reason your network was built that way?) DG On 6 Dec 2001, at 19:54, Thomas Moore wrote: > My company is currently trying to implement a VPN. Our external > PIX passes through traffic to a concentrator that sits in its own > DMZ. From there each person is authenicated locally on the > concentrator and then via radius. If this all checks out then you > are allowed through and based on your userID. You are given a > static private IP in a certain range. Our internal PIX has ACL's > that limit the IP addreses that can be hit based on your static IP > address. Ther-by limiting users to what they need internally. So > far so good. > > Now some have complained that they don't like to have more than > one logon screen. What they want to do is have people logon > straight from the VPN to the AD domain via LDAP. > > I cringe at allowing someone past my external PIX into the > concentrator and passing all the ports ( SMB, NetBIOS etc.) > through my internal PIX. Logically the VPN concentrator is my only > security device. > > Have you any ideas on how I can effectivly give access without > piping all the ports through my internal firewall? Have any of > you ever run into this type of problem? Any help would be > appreceiated. > > Thanks VPN is sponsored by SecurityFocus.com From ryan at securityfocus.com Fri Dec 7 16:22:41 2001 From: ryan at securityfocus.com (Ryan Russell) Date: Fri, 7 Dec 2001 14:22:41 -0700 (MST) Subject: [vpn] Newbee In-Reply-To: <20011207173613.21699.qmail@web11202.mail.yahoo.com> Message-ID: On Fri, 7 Dec 2001, Jorge Luis Velasco wrote: > I just need to set one up to connect my network here > in Spain to the network in the US. So you want a site-to-site VPN, i.e. a WAN replacement, rather than a remote-access VPN. > If someone is not to busy and would be willing to > volunteer his e-mail address so i can ask direct > questions, this would be much appreciated. You're welcome to mail me privately if you wish, but that's what this list is for. Tina seems quite happy to have beginner questions on the list, and people searching the archives later will thank you. So, I have some questions for you: What equipment do you already own at the two sites? What operating system(s) are you comfortable with? Do you have a budget? Are you more interested in spending time to solve the problem (and learn along the way), or are you in a hurry, and willing to buy some appliances? Ryan VPN is sponsored by SecurityFocus.com From crenner at dynalivery.com Fri Dec 7 19:24:14 2001 From: crenner at dynalivery.com (Chuck Renner) Date: Fri, 7 Dec 2001 18:24:14 -0600 Subject: [vpn] Cisco VPN 3.x client Message-ID: <1D5FFAF04EC5D31182CD00508B5502BD63F222@novac.dynalivery.com> Ok...let me clarify my earlier question. I've got a situation like this: Internet | | (router) | | / / (firewall (Cisco PIX) NAT | default GW) | \ / \ / internal network The internal network is 192.168.1.0/24. The VPN clients are 192.168.2.0/24. A routing entry in the NAT firewall redirects all traffic for 192.168.2.0/24 to the PIX. At this time, no other traffic passes through the PIX; it's only doing VPN duties, so all encrypted traffic bypasses conduit rules. I've tried adding a default route on the PIX's internal interface to point to my internal network's gateway, and I've added an ipchains rule on that system to forward the traffic. I've done some packet sniffing now with the client doing a tracert to www.yahoo.com, and can report the following: * The client is encrypting each packet of the traceroute and sending it to the PIX. * On the internal network, the most I see from the client is a DNS query for www.yahoo.com. So something in the PIX configuration has to be the culprit. Any ideas? > -----Original Message----- > From: Chuck Renner [mailto:crenner at dynalivery.com] > Sent: Thursday, December 06, 2001 5:01 PM > To: 'vpn at securityfocus.com' > Subject: [vpn] Cisco VPN 3.x client > > > First, a big "thank you" to those on the list that have given > me a hand in > the past. You've helped me over some big hurdles in getting > a VPN working > across my PIX. Hopefully, you'll be able to do the same this time. > > Here's what I have: > * Cisco VPN 3.x client running on WinNT connecting to a PIX 506 > > * Everything is working nicely as far as connecting back into > the LAN from a > public network (except that pesky browse list...) > > * The only problem is connecting to sites outside of the LAN. > > In other words, I'm connected to my LAN via the VPN, and want > to get to > Yahoo's web site. Without opening up local LAN access in the > Cisco client, > I would need packets to go through my LAN's gateway. > > Can anyone nudge me in the right direction to get this to work? > > Thanks > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From medellin at paragontechnologiesinc.com Mon Dec 10 10:31:19 2001 From: medellin at paragontechnologiesinc.com (Samantha Medellin) Date: Mon, 10 Dec 2001 10:31:19 -0500 Subject: [vpn] Question Message-ID: <5.1.0.14.0.20011210102921.03bbc440@mail.sihs.com> What does it mean when VPN connection error states, "can't identify credentials"? VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Mon Dec 10 13:58:13 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Mon, 10 Dec 2001 12:58:13 -0600 (CST) Subject: [vpn] Intermittent Moderation Message-ID: Or, moderation intermittently? I am travelling in Europe, and my modem refuses to talk to the UK telecomm infrastructure -- so I can only get to my e-mail when I can get a net drop. This means that list postings are going to be kind of bursty, but don't fret, the list's not gone...I'm just too much of a control freak to let anyone else moderate for me. cheers -- tbird "I was being patient, but it took too long." - Anya, "Buffy the Vampire Slayer" Log Analysis: http://www.counterpane.com/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html VPN is sponsored by SecurityFocus.com From jim.peters at globalems.com Mon Dec 10 15:32:51 2001 From: jim.peters at globalems.com (Jim Peters) Date: Mon, 10 Dec 2001 15:32:51 -0500 Subject: [vpn] Contivity client on win2k, domain authentication Message-ID: <999ED8D054E6D3118B9900E018C1380601232AE8@gems-web.globalems.com> I'm having a problem getting domain authentication on a Win2k workstation with our internal network. We're using a Nortel Contivity 1500 server with the 4.1 client and the latest server software. I can log into the switch just fine, I can browse the network, and I can access resources if I log onto each machine. according to the documentation on Win2k after I authenticate with the switch I should be able to hit Crtl-Atl-Delete and log onto the domain at that point but every time I do, the client disconnects when I log out. On the workstation I have the auto-connect service enabled, but can't figure out how to keep the client from disconnecting when I log out. Has anyone been able to do this? VPN is sponsored by SecurityFocus.com From dgillett at deepforest.org Mon Dec 10 16:23:42 2001 From: dgillett at deepforest.org (dgillett at deepforest.org) Date: Mon, 10 Dec 2001 13:23:42 -0800 Subject: [vpn] Cisco VPN 3.x client In-Reply-To: <1D5FFAF04EC5D31182CD00508B5502BD63F222@novac.dynalivery.com> Message-ID: <3C14B75E.22228.51CF065E@localhost> Is the PIX also doing NAT? My guess would be that client packets for the outside, emerging from the tunnel at the PIX, are getting sent to (router) with their origin addresses still in the client 192.168.2.0/24 space, and so nobody out on the internet can route replies back to them (if they accept the traffic at all). Ideally, you want to force client-riginated traffic to use the firewall as its gateway if it's headed back out to the Internet, but I remember having a similar issue with a Cisco (Altiga) 30xx box after a software upgrade, and having a great deal of difficulty convincing a Cisco TAC engineer that dumping client packets back out the untrusted interface was inappropriate behaviour. (In my case, the problem only showed up when the destination appeared to be local to the untrusted interface, but (a) the Cisco theory seemed to be that the box was a router first and a security device second, and (b) it wasn't a PIX. DG On 7 Dec 2001, at 18:24, Chuck Renner wrote: > Ok...let me clarify my earlier question. > > I've got a situation like this: > > Internet > | > | > (router) > | | > / > / > (firewall (Cisco PIX) > NAT | > default GW) | > \ / > \ / > internal network > > > The internal network is 192.168.1.0/24. The VPN clients are 192.168.2.0/24. > A routing entry in the NAT firewall redirects all traffic for 192.168.2.0/24 > to the PIX. At this time, no other traffic passes through the PIX; it's > only doing VPN duties, so all encrypted traffic bypasses conduit rules. > > I've tried adding a default route on the PIX's internal interface to point > to my internal network's gateway, and I've added an ipchains rule on that > system to forward the traffic. > > I've done some packet sniffing now with the client doing a tracert to > www.yahoo.com, and can report the following: > > * The client is encrypting each packet of the traceroute and sending it to > the PIX. > > * On the internal network, the most I see from the client is a DNS query for > www.yahoo.com. > > > So something in the PIX configuration has to be the culprit. Any ideas? > > > > > > > -----Original Message----- > > From: Chuck Renner [mailto:crenner at dynalivery.com] > > Sent: Thursday, December 06, 2001 5:01 PM > > To: 'vpn at securityfocus.com' > > Subject: [vpn] Cisco VPN 3.x client > > > > > > First, a big "thank you" to those on the list that have given > > me a hand in > > the past. You've helped me over some big hurdles in getting > > a VPN working > > across my PIX. Hopefully, you'll be able to do the same this time. > > > > Here's what I have: > > * Cisco VPN 3.x client running on WinNT connecting to a PIX 506 > > > > * Everything is working nicely as far as connecting back into > > the LAN from a > > public network (except that pesky browse list...) > > > > * The only problem is connecting to sites outside of the LAN. > > > > In other words, I'm connected to my LAN via the VPN, and want > > to get to > > Yahoo's web site. Without opening up local LAN access in the > > Cisco client, > > I would need packets to go through my LAN's gateway. > > > > Can anyone nudge me in the right direction to get this to work? > > > > Thanks > > > > VPN is sponsored by SecurityFocus.com > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From Joel.Snyder at Opus1.COM Wed Dec 12 19:21:52 2001 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Wed, 12 Dec 2001 17:21:52 -0700 (MST) Subject: [vpn] News on VPNCON Alexandria (Fall/2001) and San Jose (Spring/2002) Message-ID: <01KBSEQ5K02U96VK26@Opus1.COM> Folks, just some quick news on VPNCON. If you missed VPNCON Alexandria in October, you can still get the complete conference on CD-ROM with audio and the slides. The Sound of Knowledge does this, and the URL is: http://www.tsok.net/tapelist.tpl?_wsConference_Codedatarq=2001-VPN-F&ac=VPN-F That includes all of the presentations that consented to audio taping, including the disaster recovery panel as well as the tutorials. If you want to attend the conference without leaving your seat, it's all available for you. Second, if you're interested in presenting at VPNCON San Jose (May 13/14/15), the Call For Participation is ready. You can contact me for an ASCII copy, or if you want to download it off the web, grab: http://www.vpncon.com/2002/documents/CallforParticipation.PDF We are hoping to have an extraordinarily rich VPNCON this Spring. In addition to the benefits of co-locating with DSLcon, we've got sessions, tutorials, panels, "hands-on" labs, interoperability demos, and the usual exhibit hall and peer-to-peer networking opportunities. If you'd like to be part of it, please take a look at the CFP and submit a session! Joel Snyder Conference Director, VPNCON Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One VPN is sponsored by SecurityFocus.com From s.e.bohoudi at its.tudelft.nl Fri Dec 14 19:32:27 2001 From: s.e.bohoudi at its.tudelft.nl (Salah Eddine Bohoudi) Date: Sat, 15 Dec 2001 01:32:27 +0100 Subject: [vpn] client-gateway (nat-nat) Message-ID: hallo everybody, I have a question about the following vpn scenario: Client -------------Nat----------------------------------------GW------Internet Network The client must setup an vpn connection through the Nat device to the VPN termination point (GW). The client can have any possible adress and the nat device is optional (allowing access the everybody with internet access). The problem rises if the client has a non-routable adress say in the range of 10.0.0.0/8 range. Actually we can get this working through UDP encapsulation and we can indeed build a tunnel between the client and the GW through the NAT device. But when de packet is decrypted en deencapsulated the GW faces the problem of the non-routable adress, as the internet network can also have a private adress in the same range (10.0.0.0/8). I hope that the point is clear and that some body has a clean fix for this. Thanks in advance, Salah Eddine Bohoudi VPN is sponsored by SecurityFocus.com From wad at acm.org Sat Dec 15 11:26:09 2001 From: wad at acm.org (Eric Wadsworth) Date: Sat, 15 Dec 2001 09:26:09 -0700 Subject: [vpn] VPN hardware Message-ID: <5.1.0.14.0.20011215092456.00ab1cc0@mail.earthlink.net> I have considerable experience with networks, but I've yet to set up a VPN. So guess what I've got to do now? You guessed it, set up a VPN. A company is opening a branch in another state. They'll both have DSL, and networks of Windows boxes (2000, XP). I need a very low-maintenance solution that will provide strong encryption and authentication. Based on what I read in the FAQ, a firewall solution looks best. Is there a product that I can simply drop into place on each server, wiggle a few settings, and get it working? I'll be setting it all up at the main branch, setting up both networks, then unplugging the offsite stuff and driving it to the other state, hopefully to be able to plug it all in at the new location. Oh, and there will be other branches opening up in the near future, so I need something scalable too. Thanks for any ideas you may have! --- Eric VPN is sponsored by SecurityFocus.com From dgillett at deepforest.org Sun Dec 16 05:39:22 2001 From: dgillett at deepforest.org (dgillett at deepforest.org) Date: Sun, 16 Dec 2001 02:39:22 -0800 Subject: [vpn] client-gateway (nat-nat) In-Reply-To: Message-ID: <3C1C095A.8533.12A5ADA5@localhost> On 15 Dec 2001, at 1:32, Salah Eddine Bohoudi wrote: > hallo everybody, > > I have a question about the following vpn scenario: > > Client > -------------Nat----------------------------------------GW------Internet > Network > > The client must setup an vpn connection through the Nat device to > the VPN termination point (GW). > The client can have any possible adress and the nat device is > optional (allowing access the everybody with internet access). The > problem rises if the client has a non-routable adress say in the > range of 10.0.0.0/8 range. Actually we can get this working through > UDP encapsulation and we can indeed build a tunnel between the > client and the GW through the NAT device. But when de packet is > decrypted en deencapsulated the GW faces the problem of the > non-routable adress, as the internet network can also have a > private adress in the same range (10.0.0.0/8). I hope that the > point is clear and that some body has a clean fix for this. > > Thanks in advance, > > > Salah Eddine Bohoudi In the cases where I have run into this, the client has TWO IP addresses. It has its local LAN address, which is used to pass "real" packets between it and the NAT device. It has a second *virtual* network interface for tunnelled packets, and this one gets an address handed to it (via DHCP) byt the gateway as part of tunnel establishment. Devices beyond the gateway address it via this virtual address, which the gateway knows to send through the tunnel to the NAT device. Hang on a sec -- Your placement of the Internet on your diagram is VERY STRANGE. The usual arrangement is: Client Protected -----=====NAT=====Internet=====GW------------- Network Network A connection between the client device and the gateway -- across the Internet! -- carries encapsulated/encrypted traffic between client applications and the protected network, so that its details are not exposed while it transits the Internet. Why would anyone build a VPN *to* the Internet, except perhaps to conceal Internet traffic that violates local network policy....? Dave Gillett VPN is sponsored by SecurityFocus.com From Stephen.Hope at energis.com Mon Dec 17 09:36:52 2001 From: Stephen.Hope at energis.com (Stephen Hope) Date: Mon, 17 Dec 2001 14:36:52 -0000 Subject: [vpn] client-gateway (nat-nat) Message-ID: <73BE32DA9E55D511ACF30050BAEA0487459052@eisemail.energis.co.uk> Salah, i think you are asking how to fix a problem where you have the same address range in 2 different private networks linked by the Internet. If this is just a routed connection, then so long as both networks do address translation before their traffic hits the common Internet IP routing will work. However, if you link the separate network with a VPN tunnel, then the tunnel effectively joins the 2 private networks. If there is routing conflicts or address overlaps then routing within the networks cannot send packets in the "right" direction. The only fix for this is to: 1. organise addressing so that the overlaps dont occur. 2. make sure that the conflicting addresses are in parts of the networks which dont send traffic to the "other" private network, so the conflicts dont interfere. 3. put 2 sets of address translation between the overlapping networks. So, if you have the same addresses in the 2 networks, then you need to do address translation twice "outside" the VPN tunnel. Or, you put all your servers and other public access systems which are accessed from the other private network on an Internet assigned address - i.e. use a guaranteed unique address. regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis UK, WWW: http://www.energis.com Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Salah Eddine Bohoudi [mailto:s.e.bohoudi at its.tudelft.nl] > Sent: Saturday, December 15, 2001 12:32 AM > To: vpn at securityfocus.com > Subject: [vpn] client-gateway (nat-nat) > > > hallo everybody, > > I have a question about the following vpn scenario: > > Client > -------------Nat----------------------------------------GW---- --Internet > Network > > The client must setup an vpn connection through the Nat > device to the VPN > termination point (GW). > The client can have any possible adress and the nat device is optional > (allowing access the everybody with internet access). > The problem rises if the client has a non-routable adress say > in the range > of 10.0.0.0/8 range. Actually we can get this working through UDP > encapsulation and we can indeed build a tunnel between the > client and the GW > through the NAT device. But when de packet is decrypted en > deencapsulated > the GW faces the problem of the non-routable adress, as the > internet network > can also have a private adress in the same range > (10.0.0.0/8). I hope that > the point is clear and that some body has a clean fix for this. > > Thanks in advance, > > > Salah Eddine Bohoudi > > > > VPN is sponsored by SecurityFocus.com > ******************************************************************************************************** This e-mail is from Energis plc, 50 Victoria Embankment, London, EC4Y 0DE, United Kingdom, No: 2630471. This e-mail is confidential to the addressee and may be privileged. The views expressed are personal and do not necessarily reflect those of Energis. If you are not the intended recipient please notify the sender immediately by calling our switchboard on +44 (0) 20 7206 5555 and do not disclose to another person or use, copy or forward all or any of it in any form. ******************************************************************************************************** VPN is sponsored by SecurityFocus.com From MikeK at M-V-T.COM Mon Dec 17 12:33:28 2001 From: MikeK at M-V-T.COM (Mike Kelley) Date: Mon, 17 Dec 2001 10:33:28 -0700 Subject: [vpn] Cisco VPN 3.X and DSL questions Message-ID: Newbie in multiple senses of the word, We have a remote office who just got a DSL connection. Our plan was to hook up multiple computers throught the one DSL connection (easy enough) but we wanted each of the computers on the DSL connection to use the cisco VPN. While installing and verifing connectivity I realized only one computer at a time could use the VPN connection, didn't matter which but it was limited to just one of the clients at a given time.... We'd still like to have multiple computers on one DSL circuit ... Any pointers? Any advice? TIA Mike VPN is sponsored by SecurityFocus.com From dmercurio at ccgsecurity.com Mon Dec 17 14:46:40 2001 From: dmercurio at ccgsecurity.com (Dante Mercurio) Date: Mon, 17 Dec 2001 14:46:40 -0500 Subject: [vpn] Cisco VPN 3.X and DSL questions Message-ID: <4694DCBD1CE71F43B7E9E4DE82F239E9112964@ct2001.webcti.local> One option is to use the Cisco 3002 Hardware Client to set up a site-to-site. Here's some info: http://www.cisco.com/warp/public/cc/pd/vpnc/vpncl/ M. Dante Mercurio, CCNA, MCSE+I, CCSA Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com dmercurio at ccgsecurity.com > -----Original Message----- > From: Mike Kelley [mailto:MikeK at M-V-T.COM] > Sent: Monday, December 17, 2001 12:33 PM > To: vpn at securityfocus.com > Subject: [vpn] Cisco VPN 3.X and DSL questions > > > > Newbie in multiple senses of the word, > > We have a remote office who just got a DSL connection. Our > plan was to hook up multiple computers throught the one DSL > connection (easy enough) but we wanted each of the computers > on the DSL connection to use the cisco VPN. While installing > and verifing connectivity I realized only one computer at a > time could use the VPN connection, didn't matter which but it > was limited to just one of the clients at a given time.... > We'd still like to have multiple computers on one DSL circuit > ... Any pointers? Any advice? > > TIA > > > Mike > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From dgillett at deepforest.org Mon Dec 17 15:47:12 2001 From: dgillett at deepforest.org (dgillett at deepforest.org) Date: Mon, 17 Dec 2001 12:47:12 -0800 Subject: [vpn] client-gateway (nat-nat) In-Reply-To: References: <3C1C095A.8533.12A5ADA5@localhost> Message-ID: <3C1DE950.12915.19F8884A@localhost> On 17 Dec 2001, at 20:20, Salah Eddine Bohoudi wrote: > -----Original Message----- > From: dgillett at deepforest.org [mailto:dgillett at deepforest.org] > Sent: Sunday, December 16, 2001 11:39 AM > To: Salah Eddine Bohoudi; vpn at securityfocus.com > Subject: Re: [vpn] client-gateway (nat-nat) > > > In the cases where I have run into this, the client has TWO IP > addresses. It has its local LAN address, which is used to pass > "real" packets between it and the NAT device. > It has a second *virtual* network interface for tunnelled packets, > and this one gets an address handed to it (via DHCP) byt the gateway > as part of tunnel establishment. Devices beyond the gateway address > it via this virtual address, which the gateway knows to send through > the tunnel to the NAT device. > > > Many clients (SafeNet, Ashley-Laurent > OEMs) let you statically configure an inner IP address (VIP) for a tunnel. I > am using the checkpoint vpn secureclient en the gateway is a FW-1 VPN box. I > wonder whether it's possible to specify an inner IP adress en how a specific > application can use the ip adress of this virtual interface instead of the > ip adress of the local lan adress ? > Is is for instance possible to let some traffic (say ftp) use this the > virtual ip adress as source adress and some other application use the local > lan adress (binding aspect). > > Thanks in advance Some VPN products let remote client applications access the local LAN/WAN interface while there is a virtual connection to the VPN. Vendors call this feature "split tunnelling". (The selection of which interface to use for outbound packets, where there are several available, is *usually* determined by routing, based on destination, rather than by application....) Because it opens the possibility that that the client machine might act as a backdoor route from untrusted networks, including the Internet, to the network hosting the VPN, this feature generally defaults to "off" -- and most admins prefer to leave it that way. Dave Gillett VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Tue Dec 18 13:27:29 2001 From: rmalayter at bai.org (Ryan Malayter) Date: Tue, 18 Dec 2001 12:27:29 -0600 Subject: [vpn] Problems with Ipsec over sonicwall and checkpoint Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187F577@mail.bai.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We've got a sonicwall Pro-VX connected to a Nokia Checkpoint FW-1 device via Ipsec using a shared secret. The tunnel seems to work great, quite fast, but periodically (say, once a day) the tunnel comes down for 15-20 minutes and then spntaneously comes back up. I have a pinging script doing a keepalive, so I can record outages. I get basically nothing to help diagnose the problem in the Sonicwall log, and though I don't control the FW-1 end, they say they don't see anything unusual there, either. All we see is the IKE renegotiation when the tunnel comes back up. I've been monitoring the connection carefully, and the intervals between outages seem fairly random: 36, 7, 24, 13 hours, etc. So I don't think it's a timeout issue. All other internet access on both sides of the VPN is unaffected; only the VPN tunnel goes down. Both devices have the latest firmware. Basically, I don't know who to approach about this one - Sonicwall or Checkpoint. Has anyone seen similar behavior on either device? I know there were Ipsec problems with 4.x series Sonicwall firmware, but I believe those were resolved. Sonicwall tech support has been contacted, but no resolution yet. Thanks for any help, :::Ryan Malayter, MCSE :::Bank Administration Institute :::Chicago, Illinois, USA - --------------- "Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing had happened." -Sir Winston Churchill -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) - GPGshell v2.10b19 Comment: For info see http://www.gnupg.org iD8DBQE8H4pH9wZiZHyXot4RAq5NAKDJfaEkht+iPOsLLfNDdKJ4QNORQgCcCH0/ m17nVXRyQjXiGyha2zuuFho= =66Pw -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com From Keith.Pachulski at corp.ptd.net Tue Dec 18 14:17:19 2001 From: Keith.Pachulski at corp.ptd.net (Keith Pachulski) Date: Tue, 18 Dec 2001 14:17:19 -0500 Subject: [vpn] Sonicwall to Cisco IPSEC Tunnel between two private networks. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have on two occasions, with two different customers, tried to get a tunnel working with these devices and had no luck in either case. If anyone has been able to accomplish tunneling with a Cisco 2621 IP/FW/IDS/IPSEC 3DES and a Sonicwall between two privates networks with NAT please email me. thanks, Keith -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPB+WfOGTq6qVSXTQEQIDnQCfZgNBIz2jA7R/HI+oLTzrtxLCAoMAoPan oiSTjztTodhBzVFy+nPDkR8N =HIem -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: PGPexch.htm.asc Type: application/octet-stream Size: 877 bytes Desc: PGPexch.htm.asc Url : http://lists.shmoo.com/pipermail/vpn/attachments/20011218/af109188/attachment.obj -------------- next part -------------- VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Tue Dec 18 18:48:10 2001 From: rmalayter at bai.org (Ryan Malayter) Date: Tue, 18 Dec 2001 17:48:10 -0600 Subject: [vpn] Sonicwall to Cisco IPSEC Tunnel between two private net works. Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187F583@mail.bai.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 From: Keith Pachulski [mailto:Keith.Pachulski at corp.ptd.net] >I have on two occasions, with two different >customers, tried to get a tunnel working with >these devices and had no luck in either case. If >anyone has been able to accomplish tunneling >with a Cisco 2621 IP/FW/IDS/IPSEC 3DES and a >Sonicwall between two privates networks with >NAT please email me. Looks like Sonicwalls have trouble with other vendors, too... Argh! Why can't all this crap ever just work as designed? I guess I'll see if that tier-1 Sonicwall support contract was worth the cash. :::Ryan Malayter, MCSE :::Bank Administration Institute :::Chicago, Illinois, USA ======================================= As of right now, you're on Double-Secret Probation. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) - GPGshell v2.10b19 Comment: For info see http://www.gnupg.org iD8DBQE8H9Wd9wZiZHyXot4RAv73AJ9TTJ5weUaA3OqGFvyCXyy3SWiXygCfXyrA FbaDUerCWHKSLd5hOmHg6Rc= =L+pB -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Tue Dec 18 19:00:52 2001 From: rmalayter at bai.org (Ryan Malayter) Date: Tue, 18 Dec 2001 18:00:52 -0600 Subject: [vpn] Problems with Ipsec over sonicwall and checkpoint Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187F584@mail.bai.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 From: Dante Mercurio [mailto:dmercurio at ccgsecurity.com] >Though it doesn't appear to be a timeout issue, I have >seen random problems appear between unlike hardware >when their timeouts are set separately. In these situations, >I have found that it is best to allow one side to initiate >the renegotiation, and set the other side never to timeout. Thanks for the insight. Unfortunately, that's how our setup is already configured. The Checkpoint keeps the tunnel alive forever, and the Sonicwall does renegotiation every 24 hours. (The Sonicwall can't even be set to keep the tunnel up forever - 29 days is the max. So I can't test it the other way. Argh!) I've been reading all over the net about various *sonicwall-to-sonicwall* VPNs going down randomly. If Sonicwall can't even get that right, I think I'm in deep doodoo using that box. :::Ryan Malayter, MCSE :::Bank Administration Institute :::Chicago, Illinois, USA ===================================== "To call something public is to define it as dirty, insufficient and hazardous. The ultimate paradigm of social spending is the public rest room." -P.J. O'Rourke -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) - GPGshell v2.10b19 Comment: For info see http://www.gnupg.org iD8DBQE8H9iS9wZiZHyXot4RAuRqAKDCWFG9C0ad7x+afUdwSyAfSnmirgCfb5LK 913xmKroojBkanNDex3CiKQ= =PFZj -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Tue Dec 18 21:21:15 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Tue, 18 Dec 2001 18:21:15 -0800 Subject: [vpn] Problems with Ipsec over sonicwall and checkpoint Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D48C2@guam.corp.axcelerant.com> If you want a tunnel to stay up forever use static keys and not IKE. Most tunnel issues I have seen are caused by IKE timing out and one end not realizing the SA is no longer valid. -----Original Message----- From: Ryan Malayter [mailto:rmalayter at bai.org] Sent: Tuesday, December 18, 2001 4:01 PM To: 'vpn at securityfocus.com' Cc: 'Dante Mercurio' Subject: RE: [vpn] Problems with Ipsec over sonicwall and checkpoint -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 From: Dante Mercurio [mailto:dmercurio at ccgsecurity.com] >Though it doesn't appear to be a timeout issue, I have >seen random problems appear between unlike hardware >when their timeouts are set separately. In these situations, >I have found that it is best to allow one side to initiate >the renegotiation, and set the other side never to timeout. Thanks for the insight. Unfortunately, that's how our setup is already configured. The Checkpoint keeps the tunnel alive forever, and the Sonicwall does renegotiation every 24 hours. (The Sonicwall can't even be set to keep the tunnel up forever - 29 days is the max. So I can't test it the other way. Argh!) I've been reading all over the net about various *sonicwall-to-sonicwall* VPNs going down randomly. If Sonicwall can't even get that right, I think I'm in deep doodoo using that box. :::Ryan Malayter, MCSE :::Bank Administration Institute :::Chicago, Illinois, USA ===================================== "To call something public is to define it as dirty, insufficient and hazardous. The ultimate paradigm of social spending is the public rest room." -P.J. O'Rourke -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) - GPGshell v2.10b19 Comment: For info see http://www.gnupg.org iD8DBQE8H9iS9wZiZHyXot4RAuRqAKDCWFG9C0ad7x+afUdwSyAfSnmirgCfb5LK 913xmKroojBkanNDex3CiKQ= =PFZj -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Dec 19 10:43:55 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 19 Dec 2001 09:43:55 -0600 (CST) Subject: [vpn] SCS: Disabled at interface level Message-ID: Does anyone know what this NetScreen vpn message means? NetScreen device_id=0010072001000035 system-warning-00528: SCS: Disabled at interface level. Client host attempting connection to interface 'untrust' with address xxx.xxx.xxx.xxx from yyy.yyy.yyy.yyy 42 (2001-12-17 06:15:53) VPN is sponsored by SecurityFocus.com From TomM at spectrum-systems.com Wed Dec 19 14:45:35 2001 From: TomM at spectrum-systems.com (Tom McHugh) Date: Wed, 19 Dec 2001 14:45:35 -0500 Subject: [vpn] SCS: Disabled at interface level Message-ID: <2A0DB5123A51874C82699788F0985ED20648EE@sith.spectrum-systems.com> "SCS" is what NetScreen calls SSH. This message means that someone tried to ssh into the firewall's untrusted port, which has the service disabled. Tom McHugh, Senior Systems Engineer mailto:tomm at spectrum-systems.com Spectrum Systems, Inc. "Today's Technology--Solutions for Tomorrow" 11320 Random Hills Road, Suite 630 Fairfax, VA 22030-6001 703-591-7400 x218 703-591-9780 (Fax) http://www.spectrum-systems.com/ Concerned about the security of your network? Spectrum Systems' Network Security products and services can take the worry out of protecting your network. Call us at 800-929-3781 or visit us at http://www.spectrum-systems.com to learn more. > -----Original Message----- > From: Tina Bird [mailto:tbird at precision-guesswork.com] > Sent: Wednesday, December 19, 2001 10:44 AM > To: vpn at securityfocus.com > Subject: [vpn] SCS: Disabled at interface level > > > Does anyone know what this NetScreen vpn message means? > > NetScreen device_id=0010072001000035 system-warning-00528: > SCS: Disabled at interface level. Client host attempting > connection to interface 'untrust' with address > xxx.xxx.xxx.xxx from yyy.yyy.yyy.yyy 42 (2001-12-17 06:15:53) > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Wed Dec 19 14:39:18 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Wed, 19 Dec 2001 11:39:18 -0800 Subject: [vpn] SCS: Disabled at interface level Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D48C6@guam.corp.axcelerant.com> SCS is Secure Command Shell that is what Netscreen calls SSH. Sounds like someone is attempting an SSH session to the interface xxx.xxx.xxx.xxx and it isn't enabled... My guess. Chris > -----Original Message----- > From: Tina Bird [mailto:tbird at precision-guesswork.com] > Sent: Wednesday, December 19, 2001 7:44 AM > To: vpn at securityfocus.com > Subject: [vpn] SCS: Disabled at interface level > > > Does anyone know what this NetScreen vpn message means? > > NetScreen device_id=0010072001000035 system-warning-00528: > SCS: Disabled at interface level. Client host attempting > connection to interface 'untrust' with address > xxx.xxx.xxx.xxx from yyy.yyy.yyy.yyy 42 (2001-12-17 06:15:53) > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Wed Dec 19 16:22:59 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Wed, 19 Dec 2001 13:22:59 -0800 Subject: [vpn] SCS: Disabled at interface level Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D48C9@guam.corp.axcelerant.com> Hey Tina, I just confirmed on my NS5 here. I get the same message when trying to SSH to an interface that has SCS disabled. Christopher Gripp Systems Engineer Axcelerant "Never tell people how to do things. Tell them what to do and they will surprise you with their ingenuity." -General George S. Patton > -----Original Message----- > From: Tina Bird [mailto:tbird at precision-guesswork.com] > Sent: Wednesday, December 19, 2001 7:44 AM > To: vpn at securityfocus.com > Subject: [vpn] SCS: Disabled at interface level > > > Does anyone know what this NetScreen vpn message means? > > NetScreen device_id=0010072001000035 system-warning-00528: > SCS: Disabled at interface level. Client host attempting > connection to interface 'untrust' with address > xxx.xxx.xxx.xxx from yyy.yyy.yyy.yyy 42 (2001-12-17 06:15:53) > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From pathak at hitechprofessionals.com Wed Dec 19 09:19:26 2001 From: pathak at hitechprofessionals.com (pathak at hitechprofessionals.com) Date: 19 Dec 2001 14:19:26 -0000 Subject: [vpn] Is it risk to allow Internet access through VPN?? Message-ID: <20011219141926.17475.qmail@mail.securityfocus.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20011219/0e400067/attachment.txt From crenner at dynalivery.com Wed Dec 19 18:28:01 2001 From: crenner at dynalivery.com (Chuck Renner) Date: Wed, 19 Dec 2001 17:28:01 -0600 Subject: [vpn] Is it risk to allow Internet access through VPN?? Message-ID: <1D5FFAF04EC5D31182CD00508B5502BD63F286@novac.dynalivery.com> > Our VPN clients are passing through Firewall to > access LAN. But they are unable to access internet > when they are connected to VPN. Our border router > is configured to allow traffic from LAN only. > > Can anyone tell me about the potential risk factors in > allowing VPN clients to access internet through VPN > and then Firewall? There are a number of things to consider, and then you have to make a decision. To me, having the clients come in through the VPN, and then out through the firewall is the most sensible way to go. Otherwise, you have to deal with things like split tunnelling, which could potentially be a security hole. (In that situation, the VPN tunnel handles communications to your LAN, but everything else goes out normally. If some sort of vulnerability is exploited in this mode, it could make it's way into the LAN as well.) No matter what, the biggest potential security issue with VPN clients has to do with management. Do all of your remote users have firewalls? Do they have virus protection? Are they kept up to date with security patches? If a VPN client spends any 'unprotected' time on the net, it could be compromised or infected in some way. Then you give the client direct access into your LAN, and you've effectively allowed Bad Things[tm] a way around your firewall. (And it doesn't just have to be unprotected on the 'net. The son of your employee could pop in a floppy disk he got at school that has a virus, trojan, or other such nasty.) Network Computing just had an article covering the risks of remote users: http://www.networkcomputing.com/1224/1224ws1.html VPN is sponsored by SecurityFocus.com From ebrut at seas.gwu.edu Thu Dec 20 01:48:19 2001 From: ebrut at seas.gwu.edu (ebru) Date: Thu, 20 Dec 2001 01:48:19 -0500 Subject: [vpn] weak points of VPNs Message-ID: <3C299B47@webmail3.gwu.edu> Hi all, I am going to start my research on VPNs. I am new to the subject and I would like to know about the most important security problems concerning VPNs(just as a title) or other things (not related to security) you think are weaknesses of VPNs. Thanks to all who are going to help ! Ebru Taylak VPN is sponsored by SecurityFocus.com From dgillett at deepforest.org Thu Dec 20 05:27:42 2001 From: dgillett at deepforest.org (dgillett at deepforest.org) Date: Thu, 20 Dec 2001 02:27:42 -0800 Subject: [vpn] Is it risk to allow Internet access through VPN?? In-Reply-To: <20011219141926.17475.qmail@mail.securityfocus.com> Message-ID: <3C214C9E.22693.27347168@localhost> On 19 Dec 2001, at 14:19, pathak at hitechprofessionals.co wrote: > Hello: > > Our VPN clients are passing through Firewall to > access LAN. But they are unable to access internet > when they are connected to VPN. Our border router > is configured to allow traffic from LAN only. > > Can anyone tell me about the potential risk factors in > allowing VPN clients to access internet through VPN > and then Firewall? > > Thanks, > > Jignesh The nastiest risk is that, with the firewall doing NAT, anything they send to the Internet will *appear* to be coming from your trusted network. (I had a remote user on a cable modem start up Norton pcAnywhere while they were VPN-connected. The 253 other cable-modem subscribers in the same Class C block would have seen *our firewall* scanning them if I'd had it configured to allow that traffic to pass....) David Gillett VPN is sponsored by SecurityFocus.com From jmuniz at loudcloud.com Thu Dec 20 15:12:20 2001 From: jmuniz at loudcloud.com (Jose Muniz) Date: Thu, 20 Dec 2001 12:12:20 -0800 Subject: [vpn] X-Kryptor Message-ID: <3C224624.D16705AD@loudcloud.com> Hello Guys, I will be taking a close look at the X-Kryptor VPN appliance, and will like to listen to some good/bad/horror stories about this particularly interesting box,. Any other comments are well appreciated. Thanks a bunch. Jose. -- Jose Muniz Network Engineering Loudcloud, Inc. (408)744-7583 Direct page-jmuniz at loudcloud.com ------------------------- http://www.loudcloud.com VPN is sponsored by SecurityFocus.com From pjpslater at ntlworld.com Fri Dec 21 03:41:12 2001 From: pjpslater at ntlworld.com (Paul J P Slater) Date: Fri, 21 Dec 2001 08:41:12 -0000 Subject: [vpn] DB and VPN In-Reply-To: <3C224624.D16705AD@loudcloud.com> Message-ID: Hi, I am just about to embark on a database project which will most probably end up in a VPN. Users (through a web browser) will be able to read and (with privs) alter the .db contents. More than likely it will be MS SQL server 2000 on a Wintel platform. What are the known VPN minefields for this ? Seasons Greetings, Paul Slater VPN is sponsored by SecurityFocus.com From mark.riehl at agilecommunications.com Fri Dec 21 11:45:04 2001 From: mark.riehl at agilecommunications.com (Mark Riehl) Date: Fri, 21 Dec 2001 11:45:04 -0500 Subject: [vpn] Rebuilding Tunnels with Dynamic Clients Message-ID: <3829BAF586F6224BBD29208ADDBE306633B4DB@agile.www.agilecommunications.com> All - We're deploying a VPN using a Cisco 515 Pix at the main site and a Cisco 806 at approximately 15 remote sites. A few of the remote sites use DSL and their IP addresses can be dynamically assigned. The Pix has a static IP. If one of our 806 boxes changes IP, the 806 will reestablish VPN tunnels to all of the remote sites w/o any intervention. What if two remote sites change IP address at the same time? Each of the newly changed sites will be able to rebuild tunnels to all remote sites except each other (since they don't know the new IPs). What's the best way to handle this? One of our requirements is to have a hands off policy for the VPN equipment at the remote sites. I know that our admin can change the config files in each affected 806, but we'd like to automate this. Is there a way to do this, or, should we just push for static IPs at each of the remote sites? Any suggestions? Thanks for the help, Mark -- Mark Riehl Agile Communications, Inc. Email: mark.riehl at agilecommunications.com VPN is sponsored by SecurityFocus.com From ryan at securityfocus.com Fri Dec 21 13:32:43 2001 From: ryan at securityfocus.com (Ryan Russell) Date: Fri, 21 Dec 2001 11:32:43 -0700 (MST) Subject: [vpn] DB and VPN In-Reply-To: Message-ID: On Fri, 21 Dec 2001, Paul J P Slater wrote: > I am just about to embark on a database project which will most probably end > up in a VPN. Users (through a web browser) will be able to read and (with > privs) alter the .db contents. More than likely it will be MS SQL server > 2000 on a Wintel platform. > > What are the known VPN minefields for this ? Who are the users, how will you authenticate, what OS platforms are they on. For example, if they are your employees, and you can dictate that they must use whatever authentication mechanism you want, and you control what software they are permitted to have on the company computers, then you can pretty much pick whatever VPN you like. On the other hand, if you're talking about something like a home banking app, where you have no clue what software is being used, then you'll probably be limited to something like username&password, and SSL. Ryan VPN is sponsored by SecurityFocus.com From crenner at dynalivery.com Fri Dec 21 12:56:52 2001 From: crenner at dynalivery.com (Chuck Renner) Date: Fri, 21 Dec 2001 11:56:52 -0600 Subject: [vpn] Is it risk to allow Internet access through VPN?? Message-ID: <1D5FFAF04EC5D31182CD00508B5502BD63F2A1@novac.dynalivery.com> > What are the possible security holes exposed when using split > tunneling? could you specify. If the clients are fully protected by firewalls, anti-virus software, are up to date on all patches, etc., it isn't going to be a problem. But let's say you have a remote worker working from home, connected with a cable modem or DSL, and one or more of the above is not true. Any worm, trojan, virus, exploit, etc. that can get to their system then has a path into your LAN through the VPN. VPN is sponsored by SecurityFocus.com From djdawso at qwest.com Fri Dec 21 15:34:15 2001 From: djdawso at qwest.com (Dana J. Dawson) Date: Fri, 21 Dec 2001 14:34:15 -0600 Subject: [vpn] Cisco Unity VPN client on Mac OS X References: Message-ID: <3C239CC7.955212CD@qwest.com> Has anyone gotten Cisco's new Unity client (basically the 3000 series client, version 3.5) to work under Mac OS X? I've got the client installed (Cisco has a minor bug with one of the startup scripts that gets installed, but it's easy to fix), and it connects just fine to my 3000 series concentrator and I get full IP connectivity. The problem is that DNS support is not so wonderful in that OS X doesn't reference the /etc/resolv.conf file on the fly, so even though the Cisco client dynamically and correctly updates this file with the DNS information the concentrator hands out, it doesn't "take" because OS X ignores it. The end result is no DNS. Thanks in advance, and Happy Holidays! Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.com From scottn at s2s.ltd.uk Fri Dec 21 19:04:32 2001 From: scottn at s2s.ltd.uk (Scott Nursten) Date: Sat, 22 Dec 2001 00:04:32 -0000 Subject: [vpn] DB and VPN In-Reply-To: Message-ID: <000c01c18a7c$3bc21f00$0400a8c0@beast> Hi Paul, Regardless of OS etc, you will be after something that's robust and provides vpn access for a host of users. You're also after something that's easily configurable and easy to maintain. If you're after an open source solution on a dedicated x86 machine, I have had great mileage with OpenBSD 2.7 upwards. 3.0 has just been released and I've really been enjoying it. The server's / clients behind the units don't really matter - so long as you can have controlled connectivity between the two points. Otherwise, I would use a dedicated hardware unit, PIX or likewise. It's really dependant on what capabilities you actually require. If you give us more details on what you actually require from the machine, and more of an idea on the platform / political / financial position, we could probably all narrow down the field quite a lot. There's a lot of solutions that work with relatively few "minefields". :) Regards, Scott > -----Original Message----- > From: Paul J P Slater [mailto:pjpslater at ntlworld.com] > Sent: 21 December 2001 08:41 > To: vpn at securityfocus.com > Subject: [vpn] DB and VPN > > > > Hi, > > I am just about to embark on a database project which will > most probably end > up in a VPN. Users (through a web browser) will be able to > read and (with > privs) alter the .db contents. More than likely it will be MS > SQL server > 2000 on a Wintel platform. > > What are the known VPN minefields for this ? > > Seasons Greetings, > Paul Slater > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From pete at ether.net Sat Dec 22 06:51:36 2001 From: pete at ether.net (Pete Davis) Date: Sat, 22 Dec 2001 06:51:36 -0500 Subject: [vpn] Rebuilding Tunnels with Dynamic Clients In-Reply-To: <3829BAF586F6224BBD29208ADDBE306633B4DB@agile.www.agilecommunications.com> References: <3829BAF586F6224BBD29208ADDBE306633B4DB@agile.www.agilecommunications.com> Message-ID: <20011222065136.A17395@ether.net> Having static IP addresses always provides you with a higher level of security since it allows you both an IP Address and pre-shared secret to use to create your Security Association. In the cases where you're not able to obtain a Static IP address, then the device without a static address must always initiate the connection to a static peer destination. In your example, this may require you to route traffic back through your 515 at the main site to reach offices that have Dynamic Peer addresses since the dynamic IP Address sites must initiate the session. Best Regards, -pete On Fri, Dec 21, 2001 at 11:45:04AM -0500, Mark Riehl wrote: > All - We're deploying a VPN using a Cisco 515 Pix at the main site and a > Cisco 806 at approximately 15 remote sites. A few of the remote sites use > DSL and their IP addresses can be dynamically assigned. The Pix has a > static IP. > > If one of our 806 boxes changes IP, the 806 will reestablish VPN tunnels to > all of the remote sites w/o any intervention. What if two remote sites > change IP address at the same time? Each of the newly changed sites will be > able to rebuild tunnels to all remote sites except each other (since they > don't know the new IPs). > What's the best way to handle this? One of our requirements is to have a > hands off policy for the VPN equipment at the remote sites. I know that our > admin can change the config files in each affected 806, but we'd like to > automate this. Is there a way to do this, or, should we just push for > static IPs at each of the remote sites? > Mark Riehl > Agile Communications, Inc. > Email: mark.riehl at agilecommunications.com --- Pete Davis - Product Manager (508) 541-7300 x6154 Cisco Systems, Inc. - 38 Forge Park Franklin, MA 02038 VPN is sponsored by SecurityFocus.com From pjpslater at ntlworld.com Sat Dec 22 12:00:15 2001 From: pjpslater at ntlworld.com (Paul J P Slater) Date: Sat, 22 Dec 2001 17:00:15 -0000 Subject: [vpn] DB and VPN In-Reply-To: Message-ID: Hi, >Who are the users, how will you authenticate, what OS platforms are they >on. >For example, if they are your employees, and you can dictate that they >must use whatever authentication mechanism you want, and you control what >software they are permitted to have on the company computers, then you can >pretty much pick whatever VPN you like. >On the other hand, if you're talking about something like a home banking >app, where you have no clue what software is being used, then you'll >probably be limited to something like username&password, and SSL. >Ryan The users are not employees. They will be coming in through web browsers on unknown platforms. The .db will in the main be read by the majority of users. However a smaller number will be granted write access (to update their own company details) using whatever privs are appropriate. Thanks for the suggestions Ryan. Seasons Greetings to one and all, Paul Slater VPN is sponsored by SecurityFocus.com From pjpslater at ntlworld.com Sat Dec 22 12:00:19 2001 From: pjpslater at ntlworld.com (Paul J P Slater) Date: Sat, 22 Dec 2001 17:00:19 -0000 Subject: [vpn] DB and VPN In-Reply-To: <000c01c18a7c$3bc21f00$0400a8c0@beast> Message-ID: >Regardless of OS etc, you will be after something that's robust and >provides vpn access for a host of users. You're also after something >that's easily configurable and easy to maintain. >If you give us more details on what you actually require from the >machine, and more of an idea on the platform / political / financial >position, we could probably all narrow down the field quite a lot. Scott, Yes I need VPN access for the users, on the basis that the db is finally hosted within a vpn. Correct again on the configuration and maintenance. This is not a "do it" and run. Thanks on the tip with OpenBSD. I'll bear this in mind when I come to look into this more seriously. When the spec firms up a bit more, I'll sound you out on it. Many thanks. Seasons greetings to one and all, Paul Slater VPN is sponsored by SecurityFocus.com From dmercurio at ccgsecurity.com Mon Dec 24 08:10:37 2001 From: dmercurio at ccgsecurity.com (Dante Mercurio) Date: Mon, 24 Dec 2001 08:10:37 -0500 Subject: [vpn] DB and VPN Message-ID: <03EA8EE1BD1FAD46A6AB4525406795E174F1@ct2001.webcti.local> If I understand you correctly, VPN does not sound like the best solution for this project. If the only thing your vendors need access to is a web interface, your best bet is to set up a certificate server, and issue certificates to the vendors. Make sure your webserver only accepts certain certificates to authenticate, and have the vendors install the certificate on the machines they wish to access with. 1) This ensures only authenticated users will have access to the web interface. 2) SSL encrypts the data so you are secure there. 3) You can suspend or restrict access by revoking a certificate. 4) It is much easier to manage than trying to install VPN software with many different people using different hardware, and using different ISP's. Just a thought. M. Dante Mercurio, CCNA, MCSE+I, CCSA Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com dmercurio at ccgsecurity.com > -----Original Message----- > From: Paul J P Slater [mailto:pjpslater at ntlworld.com] > Sent: Friday, December 21, 2001 3:41 AM > To: vpn at securityfocus.com > Subject: [vpn] DB and VPN > > > > Hi, > > I am just about to embark on a database project which will > most probably end up in a VPN. Users (through a web browser) > will be able to read and (with > privs) alter the .db contents. More than likely it will be MS > SQL server 2000 on a Wintel platform. > > What are the known VPN minefields for this ? > > Seasons Greetings, > Paul Slater > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From pjpslater at ntlworld.com Thu Dec 27 06:13:41 2001 From: pjpslater at ntlworld.com (Paul J P Slater) Date: Thu, 27 Dec 2001 11:13:41 -0000 Subject: [vpn] DB and VPN In-Reply-To: <03EA8EE1BD1FAD46A6AB4525406795E174F1@ct2001.webcti.local> Message-ID: > If I understand you correctly, VPN does not sound like the best solution > for this project. Thanks you for that wise observation. There is a need to create a VPN for employees using known hardware. Two different project requirements were mixed up. The SQL database is for another project which may or may not be within the VPN. The database will be for public access with write permissions for authorised users. Both projects are in their infancy and I am in the process up establishing project needs/requirements. Thank you for sharing your thoughts on this. Seasons Greetings, Paul Slater VPN is sponsored by SecurityFocus.com From brian_anon at hotmail.com Thu Dec 27 15:52:15 2001 From: brian_anon at hotmail.com (Brian E) Date: 27 Dec 2001 20:52:15 -0000 Subject: [vpn] Wanted.. Managed Security Service Provider for CA and directory services Message-ID: <20011227205215.14981.qmail@mail.securityfocus.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20011227/78fa899a/attachment.txt From mcschlup at yahoo.com Fri Dec 28 09:16:31 2001 From: mcschlup at yahoo.com (Markus Schlup) Date: Fri, 28 Dec 2001 06:16:31 -0800 (PST) Subject: [vpn] Nokia Crypto Cluster <-> Cisco 1720 Message-ID: <20011228141631.91709.qmail@web13602.mail.yahoo.com> I'm looking for somebody with experience in setting up a VPN between the above mentioned VPN devices. I'm still trying without any luck to get the two communicate with each other. Searching the net did not give me any hints. Any configs that you may share? Thanks, Markus __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com VPN is sponsored by SecurityFocus.com From Joel.Snyder at Opus1.COM Fri Dec 28 14:04:34 2001 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Fri, 28 Dec 2001 12:04:34 -0700 (MST) Subject: [vpn] Nokia Crypto Cluster <-> Cisco 1720 In-Reply-To: "Your message dated Fri, 28 Dec 2001 06:16:31 -0800 (PST)" <20011228141631.91709.qmail@web13602.mail.yahoo.com> Message-ID: <01KCEG46O0EA91VRD5@Opus1.COM> Our company wrote the training materials for the Nokia products. I'd be happy to help. Drop me an email. The short answer is that you should have no problems---the CC product line is very compliant with the RFCs, and while there are certain restrictions in the Cisco commands for setting this sort of stuff up, none of those will cause any grief with the Nokia boxes. jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) >I'm looking for somebody with experience in setting up >a VPN between the above mentioned VPN devices. I'm >still trying without any luck to get the two >communicate with each other. Searching the net did not >give me any hints. Any configs that you may share? >Thanks, >Markus >__________________________________________________ >Do You Yahoo!? >Send your FREE holiday greetings online! >http://greetings.yahoo.com >VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From itsd2001 at hotmail.com Fri Dec 28 20:50:16 2001 From: itsd2001 at hotmail.com (itsd itsd) Date: Fri, 28 Dec 2001 20:50:16 -0500 Subject: [vpn] VPN Setup Message-ID: Hi, We would like to put the Cisco VPN 3000 Gateway like this: DMZ | | Private===FW1=====Catalyst2900==Cisco_Router_7200====Internet | | |====VPN3000===| Questions: ========= 1) Is this good solution (security, performance, .....) 2) FW1 is CheckPoint Firewall 1 with 4 interface (all are in different subnet): -One connected to private Network -One to Catalyst 2900 -One to DMZ -One we like to connect it to VPN 3000 What did I need to open (rule) on FW-1 to make the VPN working. 3) What access-list I need to put on Cisco 7200 ? Private: Catalyst 5500 + RSM VPN Gateway: Cisco VPN 3000 (Software Version 3.5) FW-1: Checkpoint FW-1 ver. 4.1 SP2 Router: Cisco Router 7200 (version 12.X) VPN Client: Software Client / Hardware client 3002 (Software Version 3.5) Thanks _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com VPN is sponsored by SecurityFocus.com From hayyan at arab.net.sa Sun Dec 30 02:01:38 2001 From: hayyan at arab.net.sa (Hayyan Alsayyed) Date: Sun, 30 Dec 2001 10:01:38 +0300 Subject: [vpn] Simple Scenario Message-ID: <005201c190ff$d5a27aa0$14d40c0a@arabnet.alofoq> Hi, There is a company with many branches, connected via leased lines so they have a fixed IP addresses. Secondly they have 12 mobile users and they need a secure channel to access some information (unkown) in their own LAN . So they want a VPN server (as a secure gateway) installed in their main office . Can you pleaze suggest a solution Is there any one who know about eTrust (CA) VPN software (http://www.ca.com), and whether its applicable in this scenario? Thanks for help Hayyan VPN is sponsored by SecurityFocus.com From TomM at spectrum-systems.com Mon Dec 31 09:25:42 2001 From: TomM at spectrum-systems.com (Tom McHugh) Date: Mon, 31 Dec 2001 09:25:42 -0500 Subject: [vpn] Simple Scenario Message-ID: <2A0DB5123A51874C82699788F0985ED2064909@sith.spectrum-systems.com> my company resells a vpn product line (netscreen) that can do the job well, but whatever solution you go for, make sure to encourage them to put firewall software on the remote users' computers! additionally, they may want to consider vpn-connecting all the offices instead of maintaining lease lines. each office would have its own 'net link, and the vpns can be configured to allow access between the sites, using the main office as a communications hub or using a web-like layout. Tom McHugh, Senior Systems Engineer mailto:tomm at spectrum-systems.com Spectrum Systems, Inc. "Today's Technology--Solutions for Tomorrow" 11320 Random Hills Road, Suite 630 Fairfax, VA 22030-6001 703-591-7400 x218 703-591-9780 (Fax) http://www.spectrum-systems.com/ Concerned about the security of your network? Spectrum Systems? Network Security products and services can take the worry out of protecting your network. Call us at 800-929-3781 or visit us at http://www.spectrum-systems.com to learn more. > -----Original Message----- > From: Hayyan Alsayyed [mailto:hayyan at arab.net.sa] > Sent: Sunday, December 30, 2001 2:02 AM > To: VPN at securityfocus.com > Subject: [vpn] Simple Scenario > > > Hi, > There is a company with many branches, connected via leased > lines so they > have a fixed IP addresses. Secondly they have 12 mobile users > and they need > a secure channel to access some information (unkown) in their > own LAN . So > they want a VPN server (as a secure gateway) installed in > their main office > . > Can you pleaze suggest a solution > Is there any one who know about eTrust (CA) VPN software > (http://www.ca.com), and whether its applicable in this scenario? > > Thanks for help > > Hayyan > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From pete at ether.net Mon Dec 31 13:53:13 2001 From: pete at ether.net (Pete Davis) Date: Mon, 31 Dec 2001 13:53:13 -0500 Subject: [vpn] RE: VPN Setup In-Reply-To: References: Message-ID: <20011231135313.A26159@ether.net> In general for this type of configuration, you would put the VPN3000 off the FW1 on the public interface and off the private network for the private interface. For remote access usesr, you would either assign addresses using DHCP or an address pools. For same subnet addresses, the Concentrator will proxy ARP for these addresses. If you are using an address pool on a different subnet, you would either need to announce this subnet with a routing protocol (i.e. using Reverse Route Injection) or add a static route for this subnet on your FW1 private side, pointing to the VPN 3000 private side interface. If the 7200 or FW1 are blocking traffic, they need to permit the following protocols/ports to the VPN 3000 ESP (Protocol 50) inbound UDP (Port 500 destination) inbound UDP (Port 10,000 destination) inbound [ only if you're using IPsec/UDP ] TCP (port 10,000 or whatever ports you allow for IPsec/TCP) Output, you would permit anything from the VPN3000 out. The tunnel default gateway on your VPN3000 should point to the private interface IP of the FW doing PAT (FW-1). The Concentrator will need a routable private address either accomplished by assigning a routable subnet to this FW-1 interface you have configured, or by performing 1:1 NAT on your FW-1. If you are using 1:1 NAT, you will be unable to support the current version of the MS L2TP/IPsec client for incoming remote access users. Best Regards, -pete > We would like to put the Cisco VPN 3000 Gateway like this: > > > DMZ > | > | > Private===FW1=====Catalyst2900==Cisco_Router_7200====Internet > | | > |====VPN3000===| > > > Questions: > ========= > > 1) Is this good solution (security, performance, .....) > 2) FW1 is CheckPoint Firewall 1 with 4 interface (all are in different > subnet): > -One connected to private Network > -One to Catalyst 2900 > -One to DMZ > -One we like to connect it to VPN 3000 > > What did I need to open (rule) on FW-1 to make the VPN working. > > 3) What access-list I need to put on Cisco 7200 ? > > Private: Catalyst 5500 + RSM > VPN Gateway: Cisco VPN 3000 (Software Version 3.5) > FW-1: Checkpoint FW-1 ver. 4.1 SP2 > Router: Cisco Router 7200 (version 12.X) > VPN Client: Software Client / Hardware client 3002 (Software Version 3.5) > > Thanks > > > _________________________________________________________________ > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > > VPN is sponsored by SecurityFocus.com --- Pete Davis - Product Manager (508) 541-7300 x6154 Cisco Systems, Inc. - 38 Forge Park Franklin, MA 02038 VPN is sponsored by SecurityFocus.com From safiera at gss-inc.com Mon Dec 31 13:17:58 2001 From: safiera at gss-inc.com (Adam Safier) Date: Mon, 31 Dec 2001 13:17:58 -0500 Subject: [vpn] RE: VPN Setup In-Reply-To: Message-ID: You don't say if this is client VPN (user PC to gateway) or a site-site VPN. Since it's a 3000 my guess is it's a client VPN. I think this is a common solution if the FW1 was replaced with a Cisco router and you turned on policy routing (need cisco geek input here ... I'm not fully up on how that works with Cisco gear and our gurus are too busy to ask for free-bee advice....). FW-1 will not do policy routing - it relies on the underlying OS platform for routing capabilities. With FW-1 being a Check Point it does not make a great deal of sense to do this. Check Point has a very low cost VPN add on - the VPN license if free but you have to pay for DES+ encryption code. It's a minor cost in the scheme of things. Anyway, why not run the VPN to the Check Point and save the cost of headach of adding the 3000? If you need site-site VPN see if the OS on the 7200 will handle the site-site VPN. Then you can still force authentication at the FW-1. If you persist with this layout you will have a special issue with routing. Either you will need an internal NAT so replies from internal hosts can get back to the VPN box or you will need to point your default rout from thy FW-1 to the Cisco 3000. Adam Safier Global Systems & Strategies, Inc (GSS) 7000 Security Blvd, Suite 300 Baltimore, Md. 21244 (443) 436-6393 (410) 281-9193 -----Original Message----- From: itsd itsd [mailto:itsd2001 at hotmail.com] Sent: Friday, December 28, 2001 8:50 PM To: vpn at securityfocus.com Subject: VPN Setup Hi, We would like to put the Cisco VPN 3000 Gateway like this: DMZ | | Private===FW1=====Catalyst2900==Cisco_Router_7200====Internet | | |====VPN3000===| Questions: ========= 1) Is this good solution (security, performance, .....) 2) FW1 is CheckPoint Firewall 1 with 4 interface (all are in different subnet): -One connected to private Network -One to Catalyst 2900 -One to DMZ -One we like to connect it to VPN 3000 What did I need to open (rule) on FW-1 to make the VPN working. 3) What access-list I need to put on Cisco 7200 ? Private: Catalyst 5500 + RSM VPN Gateway: Cisco VPN 3000 (Software Version 3.5) FW-1: Checkpoint FW-1 ver. 4.1 SP2 Router: Cisco Router 7200 (version 12.X) VPN Client: Software Client / Hardware client 3002 (Software Version 3.5) Thanks _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com VPN is sponsored by SecurityFocus.com