From Nehoda at NEHODATECH.COM Thu Feb 1 11:09:23 2001 From: Nehoda at NEHODATECH.COM (Nehoda at NEHODATECH.COM) Date: Thu, 1 Feb 2001 08:09:23 -0800 Subject: Cable modem and vpns Message-ID: <20010201160923.10081.cpmta@c001.snv.cp.net> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20010201/9a162314/attachment.txt From PWolf at MC.CC.MD.US Thu Feb 1 09:54:09 2001 From: PWolf at MC.CC.MD.US (Wolf, Paul) Date: Thu, 1 Feb 2001 09:54:09 -0500 Subject: Assistance Message-ID: Hello, I'm new to the list and new to VPNs. I am trying to find a reference so I can start to understand VPNs and what is needed to create one. My situation is as follows: Remote site utilizing DSL for connectivity to the internet via an ISP. Main site running Check-Point firewall with high speed access to the internet. We want to develop a solution that would allow the remote site to access network services on our main site. In the past we would utilize ATM to provide direct connectivity to our infrastructure but this solution is becoming more and more expensive and we are looking for ways to cut our infrastructure costs. Any help on this matter would be greatly appreciated. I am looking for direction to resource(s) that would provide me with information on what is needed to implement a VPN solution. My Thanks. Paul Wolf Network Engineer Montgomery College 240-314-3108 VPN is sponsored by SecurityFocus.COM From mark.riehl at AGILECOMMUNICATIONS.COM Thu Feb 1 10:09:48 2001 From: mark.riehl at AGILECOMMUNICATIONS.COM (Mark Riehl) Date: Thu, 1 Feb 2001 10:09:48 -0500 Subject: VPN Hardware and OS Suggestions Message-ID: <3829BAF586F6224BBD29208ADDBE30664161@agile.agilecommunications.com> All, We're planning on setting up a VPN server for a small business with between 10 - 15 users, each at a different site. After talking to several people and doing some research, we're leaning toward a Checkpoint software server with WatchGuard SOHO boxes at each client. We're planning on a dedicated box to run the Checkpoint software. Behind the Checkpoint server will be an email server, some file sharing, etc. All of the clients are either on DSL or cable modems. Questions: 1. What are some real world hardware requirements for the server? Should this be as fast as possible - e.g., a 1 GHz PIII? I don't have a lot of experience in this area and I'm trying to get a feel for how busy this box will be. Again, this will a dedicated box that has two LAN cards - one to the ISP, and the other to the LAN with the email server. 2. If you had the option to use Win2K, Linux, or Solaris x86, which would you choose and why? I have experience with all three (as a developer rather than a security person), but I'd like to hear a few opinions/suggestions. Thanks for the info, Mark VPN is sponsored by SecurityFocus.COM From dan.schlitt at SMARTS.COM Thu Feb 1 16:50:39 2001 From: dan.schlitt at SMARTS.COM (Schlitt, Dan) Date: Thu, 1 Feb 2001 16:50:39 -0500 Subject: Need suggestions of client software In-Reply-To: Message-ID: We are looking for client software for use by remote employees and would like some suggestions. Comments from folks with experience using the software would be useful. We need a client that will use IPSEC and transparently do tcp, udp and icmp. It needs to run on NT 4.0 and optionally also windows2000. It needs to interoperate with the IPSEC in Cisco IOS 12.0. Initially we would like to stay away from PKI issues by using manually configured shared secrets for authentication. While I have lists of sources from a couple of web sites the lists are long and many of the sources are oriented toward OEMs or hardware and not user client software. I would appreciate any suggestions. /san -- Dan Schlitt System Management Arts dan at smarts.com 1 North Lexington Avenue tel: (914)948-6200 x 7210 White Plains, New York 10601 fax: (914)948-6270 VPN is sponsored by SecurityFocus.COM From sandy at STORM.CA Fri Feb 2 23:46:08 2001 From: sandy at STORM.CA (Sandy Harris) Date: Fri, 2 Feb 2001 23:46:08 -0500 Subject: Need suggestions of client software References: Message-ID: <3A7B8D10.7ED820AE@storm.ca> "Schlitt, Dan" wrote: > > We are looking for client software for use by remote employees and would > like some suggestions. Comments from folks with experience using the > software would be useful. > > We need a client that will use IPSEC and transparently do tcp, udp and > icmp. It needs to run on NT 4.0 and optionally also windows2000. One list of Windows clients is: http://www.freeswan.org/freeswan_trees/freeswan-1.8/doc/interop.html#winclient > It needs to interoperate with the IPSEC in Cisco IOS 12.0. In theory, any two IPSEC implementations should interoperate. The protocols were designed to support that. In practice, it is more complex. Cisco have a client available which will almost certainly work with their routers. I've been told it is just the IRE client, sold by Cisco under an OEM agreement, but am not entirely certain of that. The NAI/PGP client might be convenient if you also need email, files or disks encrypted. These application come bundled together in their package. VPN is sponsored by SecurityFocus.COM From bhaney at SATEL.COM Sat Feb 3 19:21:45 2001 From: bhaney at SATEL.COM (Brian Haney) Date: Sat, 3 Feb 2001 17:21:45 -0700 Subject: Cable modem and vpns References: <20010201160923.10081.cpmta@c001.snv.cp.net> Message-ID: <003c01c08e40$74eb4240$e312e63f@brian> What type of VPN are you using? Many VPN technologies have problems with NAT overload (PAT - Port address translation or "one to many" translations) because they are implemented at the IP layer. IPSEC, for example, used ESP or AH which is protocol 50 and 51. This is protocol, not port. It's IP layer. However the initial communication is going to be (most likely) ISAKMP which is UDP port 500. Send your VPN type and the circumstances of the connection and maybe we can help. ----- Original Message ----- From: To: Sent: Thursday, February 01, 2001 9:09 AM Subject: Cable modem and vpns > My vpn server is connected to a firewall and a T1. I can use a dial up acccount to access the remote network, but when I try to use a cable modem it does not respond. Is there anything you know about this situation. I have all ports open on the firewall for VPN. > > David S. Nehoda, CCNA, MCSE+I > Systems Consultant > david at nehodatech.com > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From gpaine at V-ONE.COM Mon Feb 5 09:42:58 2001 From: gpaine at V-ONE.COM (george paine) Date: Mon, 5 Feb 2001 09:42:58 -0500 Subject: Cable modem and vpns References: <20010201160923.10081.cpmta@c001.snv.cp.net> Message-ID: <3A7EBBF2.C1C9D135@v-one.com> David S. Nehoda wrote: > > My vpn server is connected to a firewall and a T1. I can use a dial > up acccount to access the remote network, but when I try to use a > cable modem it does not respond. Is there anything you know about > this situation. I have all ports open on the firewall for VPN. > you didn't specify what VPN you're using - if you're running IPSec it's prob. getting blocked by your cable carrier. to get them to un-block it you'll have to switch your cable account from a residential to a business tariff (this will, of course, increase your cable subscription cost). another approach would be to use a non-IPSec proxy client if your VPN supports it. George T. Paine V-ONE Corp. -- security for a connected world gpaine at v-one.com 301 515 5200 ext 5322 301 641 4277 mobile http://www.v-one.com VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Sun Feb 4 16:51:05 2001 From: dgillett at NIKU.COM (David Gillett) Date: Sun, 4 Feb 2001 13:51:05 -0800 Subject: Cable modem and vpns In-Reply-To: <20010201160923.10081.cpmta@c001.snv.cp.net> Message-ID: <058201c08ef4$93a48110$f30410ac@niku.com> Three possibilities spring immediately to mind: 1. Some VPN protocols use additional IP-suite protocols besides TCP and UDP (port numbers are a feature within these two). Your cable-modem access device/firewall may not be allowing these additional protocols; it might not have a way to allow them. 2. Some VPN protocols require the end points to agree about each others' real IP addresses. Your cable-modem access device/firewall may be doing NAT, PAT or proxying that these protocols cannot operate over. 3. At least one @home-affiliated cable company has banned commercial use of their consumer-grade service, which they define as including all VPN use. They want VPN users to buy their more-expensive "business-grade" @work service instead. If you specify the server, the client, the firewall, the cable access device and the cable provider, we can probably narrow this list down. David Gillett Senior Network Engineer (650) 701-2702 Niku Corp. "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Nehoda at NEHODATECH.COM Sent: Thursday, February 01, 2001 8:09 AM To: VPN at SECURITYFOCUS.COM Subject: Cable modem and vpns My vpn server is connected to a firewall and a T1. I can use a dial up acccount to access the remote network, but when I try to use a cable modem it does not respond. Is there anything you know about this situation. I have all ports open on the firewall for VPN. David S. Nehoda, CCNA, MCSE+I Systems Consultant david at nehodatech.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jrdepriest at FTB.COM Mon Feb 5 15:24:13 2001 From: jrdepriest at FTB.COM (DePriest, Jason R.) Date: Mon, 5 Feb 2001 14:24:13 -0600 Subject: Cable modem and vpns Message-ID: It could also be an MTU issue. If the MTU of the cable modem is 1500 for ethernet, it might need to be fragmented after the auth/encrypt overhead is added on to it. Windows NT and Windows 2000 flag the datagrams as "don't fragment" so they can't be fragmented and are dropped. You can try enabling PMTUAutoDiscovery or manually setting a lower MTU such as 1480 or something around that. -----Original Message----- From: John Starta [mailto:john.starta at TRIPLESTICKS.COM] Sent: Saturday, February 03, 2001 4:59 PM To: VPN at SECURITYFOCUS.COM Subject: Re: Cable modem and vpns David, Two possibilities immediately come to mind: 1. You're cable modem setup utilizes Network Address Translation (NAT) and the VPN technology you're using isn't NAT friendly. (What are you using?) 2. Your cable provider is blocking the ports. Many of them prohibit the use of VPN's on residential service. Check with your cable provider. Can you ping your VPN server when on the cable modem? jas At 08:09 AM 2/1/01 -0800, Nehoda at NEHODATECH.COM wrote: >My vpn server is connected to a firewall and a T1. I can use a dial up >acccount to access the remote network, but when I try to use a cable modem >it does not respond. Is there anything you know about this situation. I >have all ports open on the firewall for VPN. > >David S. Nehoda, CCNA, MCSE+I >Systems Consultant >david at nehodatech.com > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From shope at ENERGIS-EIS.CO.UK Mon Feb 5 04:57:15 2001 From: shope at ENERGIS-EIS.CO.UK (Stephen Hope) Date: Mon, 5 Feb 2001 09:57:15 -0000 Subject: Need suggestions of client software Message-ID: <01903665B361D211BF6700805FAD5D93D9E58E@mail.datarange.co.uk> Dan, the first answer has to be - go and try the Cisco clients. That way you get support, which probably outweighs other considerations for a commercial implementation. There are 2 different cisco code sets. 1. OEM client from IRE (i think they changed the company name recently) - this was the original client supplied by Cisco. You need at least V1.1, as before this they documentation was inaccurate, and didnt cover talking to Cisco devices. There are a few cisco tech notes about implementation on their web site. This version can support PKI or shared secrets. Big problem with this is the config is complicated. 2. The ex Altiga client is now supported for comunication to Cisco routers and PIX firewalls. IMHO this client used to be the main reason Altiga remote access concentrators sold so well. You can set client config / policy at the central site and "push" it to clients when they connect - this means client remote setup is just interface for traffic and IP address of the concentrator. Dont know if the "push" stuff has made it to the routers yet, but if so you will probably need IOS 12.1.xxx Biggest problem we had recently was that there was no way in the Cisco pricelist to buy the Altiga client separately from the concentrator, despite the security specialists telling everyone this would be the new "strategic" solution... Of course, all this would be easier if you used the Cisco VPN 3000 box (the old Altiga line) at the central site as well...... We have used NT and Win9x platforms - no idea with W2k, but it wasnt in the support list a couple of months back. There are rumours of a beta client around but i havent needed to look at that. Good luck Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Schlitt, Dan [mailto:dan.schlitt at SMARTS.COM] > Sent: 01 February 2001 21:51 > To: VPN at SECURITYFOCUS.COM > Subject: Need suggestions of client software > > > We are looking for client software for use by remote > employees and would > like some suggestions. Comments from folks with experience using the > software would be useful. > > We need a client that will use IPSEC and transparently do tcp, udp and > icmp. It needs to run on NT 4.0 and optionally also > windows2000. It needs > to interoperate with the IPSEC in Cisco IOS 12.0. Initially > we would like > to stay away from PKI issues by using manually configured > shared secrets > for authentication. > > While I have lists of sources from a couple of web sites the lists are > long and many of the sources are oriented toward OEMs or > hardware and not > user client software. > > I would appreciate any suggestions. > > /san > > -- > > Dan Schlitt System Management Arts > dan at smarts.com 1 North Lexington Avenue > tel: (914)948-6200 x 7210 White Plains, New York 10601 > fax: (914)948-6270 > > VPN is sponsored by SecurityFocus.COM > ----------------------------------------------------------------------------------------------------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Energis Integration Services. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. We have an anti-virus system installed on all our PC's and therefore any files leaving us via e-mail will have been checked for known viruses. Energis Integration Services accepts no responsibility once an e-mail and any attachments leave us. If you have received this email in error please notify Energis Integration Services Communications IT department on +44 (0) 1494 476222.. ----------------------------------------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.COM From john.starta at TRIPLESTICKS.COM Sat Feb 3 17:58:36 2001 From: john.starta at TRIPLESTICKS.COM (John Starta) Date: Sat, 3 Feb 2001 15:58:36 -0700 Subject: Cable modem and vpns In-Reply-To: <20010201160923.10081.cpmta@c001.snv.cp.net> Message-ID: <5.0.2.1.2.20010203154934.0256dec0@pop.trplstx.com> David, Two possibilities immediately come to mind: 1. You're cable modem setup utilizes Network Address Translation (NAT) and the VPN technology you're using isn't NAT friendly. (What are you using?) 2. Your cable provider is blocking the ports. Many of them prohibit the use of VPN's on residential service. Check with your cable provider. Can you ping your VPN server when on the cable modem? jas At 08:09 AM 2/1/01 -0800, Nehoda at NEHODATECH.COM wrote: >My vpn server is connected to a firewall and a T1. I can use a dial up >acccount to access the remote network, but when I try to use a cable modem >it does not respond. Is there anything you know about this situation. I >have all ports open on the firewall for VPN. > >David S. Nehoda, CCNA, MCSE+I >Systems Consultant >david at nehodatech.com > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From pete at ETHER.NET Mon Feb 5 17:41:07 2001 From: pete at ETHER.NET (Pete Davis) Date: Mon, 5 Feb 2001 17:41:07 -0500 Subject: Need suggestions of client software In-Reply-To: <01903665B361D211BF6700805FAD5D93D9E58E@mail.datarange.co.uk> References: <01903665B361D211BF6700805FAD5D93D9E58E@mail.datarange.co.uk> Message-ID: <20010205174107.A6758@ether.net> The client is available for free on CCO (www.cisco.com) for Cisco Customers with Smartnet contracts. SW CENTER / VPN Software / 3000 Or it can be ordered for a $50 media charge CVPN3000-CLNT-25= --p > Biggest problem we had recently was that there was no way in the Cisco > pricelist to buy the Altiga client separately from the concentrator, despite > the security specialists telling everyone this would be the new "strategic" > solution... --- Pete Davis - Product Manager (508) 541-7300 x6154 Cisco Systems, Inc. - 38 Forge Park Franklin, MA 02038 VPN is sponsored by SecurityFocus.COM From galorath at GALORATH.COM Mon Feb 5 19:23:07 2001 From: galorath at GALORATH.COM (Dan Galorath) Date: Mon, 5 Feb 2001 16:23:07 -0800 Subject: Very Slow VPN Performance Message-ID: Our throughput using VPN is pathetic. The server side is nt4 server with a T1 line & ms proxy server. that server does nothing but run external communications. the client side win2k or win98 with DSL or cable. Effective speed for copying a file from the nt server is only a few (2-4) kbytes per second. Accessing mail is nearly as bad as dialup. Manipulating a file (such as editing a word document) thru the a mapped drive to the VPN is impractical. Using PCanywhere over the same VPN connection, uncompressible files move at about 80kbytes per second.I have heard I should expect 70% of full speed with VPN, which is about what we are getting with PCanywhere. I don't know where to turn to correct this. Any thought / guidance would be greatly appreciated VPN is sponsored by SecurityFocus.COM From bjaber at IPASS.COM Mon Feb 5 20:45:21 2001 From: bjaber at IPASS.COM (Basim Jaber) Date: Mon, 5 Feb 2001 17:45:21 -0800 Subject: Very Slow VPN Performance Message-ID: <71038994C3C0D411AD0C009027723C2C1B1D86@mtvxfiles.corp.ipass.com> Dan, Several things you can do to alleviate this. 1) Stop using MS PPTP. Put plain and simple, it's the slowest performing VPN. The reason why its one of the most widely used, however, is that it's free. Try a VPN solution like Cisco VPN 3000 Series or Nortel Contivity Extranet Access. 2) If you still want to use PPTP, try centralizing all of your applications on Terminal Servers. Then you simply distribute the Terminal Server client ( or use the web based Termain Server Advanced Client). Then all you're running through the PPTP pipe is the GUI and not all the overhead. Basim S. Jaber Senior Systems Engineer VPN Services / Customer Implementation iPass Inc. http://www.ipass.com >-----Original Message----- >From: Dan Galorath [mailto:galorath at GALORATH.COM] >Sent: Monday, February 05, 2001 4:23 PM >To: VPN at SECURITYFOCUS.COM >Subject: Very Slow VPN Performance > > >Our throughput using VPN is pathetic. > >The server side is nt4 server with a T1 line & ms proxy >server. that server >does nothing but run external communications. > >the client side win2k or win98 with DSL or cable. > > >Effective speed for copying a file from the nt server is only >a few (2-4) >kbytes per second. Accessing mail is nearly as bad as dialup. > Manipulating >a file (such as editing a word document) thru the a mapped >drive to the VPN >is impractical. > >Using PCanywhere over the same VPN connection, uncompressible >files move at >about 80kbytes per second.I have heard I should expect 70% of >full speed >with VPN, which is about what we are getting with PCanywhere. > >I don't know where to turn to correct this. > >Any thought / guidance would be greatly appreciated > >VPN is sponsored by SecurityFocus.COM > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010205/865835ad/attachment.htm From schowning at HOME.COM Mon Feb 5 20:16:12 2001 From: schowning at HOME.COM (Stephen Chowning) Date: Mon, 5 Feb 2001 17:16:12 -0800 Subject: Toe Dipping Into Turbulence References: <01903665B361D211BF6700805FAD5D93D9E58E@mail.datarange.co.uk> <20010205174107.A6758@ether.net> Message-ID: <3A7F505C.34331E00@home.com> I am looking at VPN as a cost effective solution to my problem. I have a VERY small LAN (5 desktop computers) that I would like to securely add another computer to from a remote (30 miles) location. Ideally this would be a reasonably secure VPN solution that is software based that will run on Macs. I have read several FAQs, and now have several questions. 1. The LAN and the remote location has the ability to access the internet via cable modem, altthough neither is currently set up to do so. Could I implement a software only solution such as McAffee's PGP Desktop Security 6.5.8 for Mac w/RSA and avoid what so far sounds like expensive hardware? If I need hardware as well, what is the cheapest solution that would provide reasonable security (reasonable= not PPTP or anything else that Billy G. and his minions have their hands in). 2. How secure would PGP Desktop Security 6.5.8 for Mac w/RSA be? I am afraid that you all are going to tell me that it may be reasonably secure for right now, but I had better stay on my toes because things change by the minute. Sincerely, Steve Chowning VPN is sponsored by SecurityFocus.COM From PWolf at MC.CC.MD.US Tue Feb 6 11:42:13 2001 From: PWolf at MC.CC.MD.US (Wolf, Paul) Date: Tue, 6 Feb 2001 11:42:13 -0500 Subject: Assistance in obtaining reference material Message-ID: I'm looking for any reference material along the lines of a VPN for Dummies book. I need to become versed in the methods and technologies involved. Does anybody have a good suggestion to start? Thanks. Paul Wolf VPN is sponsored by SecurityFocus.COM From woody.weaver at CALLISMA.COM Tue Feb 6 11:45:42 2001 From: woody.weaver at CALLISMA.COM (woody weaver) Date: Tue, 6 Feb 2001 08:45:42 -0800 Subject: Toe Dipping Into Turbulence In-Reply-To: Message-ID: On Monday, February 05, 2001 5:16 PM, Stephen Chowning wrote: > I am looking at VPN as a cost effective solution to my > problem. I have a VERY > small LAN (5 desktop computers) that I would like to securely > add another computer > to from a remote (30 miles) location. Ideally this would be a > reasonably secure > VPN solution that is software based that will run on Macs. I > have read several > FAQs, and now have several questions. Unfortunately, market forces imply that support for mac products is less than for M$ products. This suggests stand alone appliances may be a better solution. > > 1. The LAN and the remote location has the ability to access > the internet via > cable modem, altthough neither is currently set up to do so. > Could I implement a > software only solution such as McAffee's PGP Desktop Security > 6.5.8 for Mac w/RSA > and avoid what so far sounds like expensive hardware? If I > need hardware as well, > what is the cheapest solution that would provide reasonable > security (reasonable= > not PPTP or anything else that Billy G. and his minions have > their hands in). For the small LAN, an appliance is probably the right solution. There are several SOHO products. I like the Netscreen 5 (http://www.netscreen.com/products/appliances.html#ns5) although WatchGuard, RedCreek, and others are reasonable. For the stand alone, the personal firewall solution might be right. Another thing to look at is if the cable modem has (or could be exchanged for a device) that supports IPsec. > 2. How secure would PGP Desktop Security 6.5.8 for Mac w/RSA > be? I am afraid that > you all are going to tell me that it may be reasonably secure > for right now, but I > had better stay on my toes because things change by the minute. What does secure mean to you? What are you risking? What are your assets? What is the value? What are the threats? My guess would be that the security of your environment is not going to revolve around the products deployed but in the policies and procedures used to implemement and operate the products. My suggestion would be to use an IPsec based product (rather than PPTP) for its general applicability and robust encryption environment. There are various knobs you can turn to drop encryption standards in place. So your PGP Desktop Security product, with its built in personal firewall, IDS, and IPsec based VPN would be a sound choice. > > Sincerely, > Steve Chowning > > VPN is sponsored by SecurityFocus.COM --woody VPN is sponsored by SecurityFocus.COM From Joel.Snyder at OPUS1.COM Tue Feb 6 12:19:59 2001 From: Joel.Snyder at OPUS1.COM (Joel M Snyder) Date: Tue, 6 Feb 2001 10:19:59 -0700 Subject: Assistance in obtaining reference material In-Reply-To: "Your message dated Tue, 06 Feb 2001 11:42:13 -0500" Message-ID: <01JZSBWSJH9O8ZDV0Q@Opus1.COM> >I'm looking for any reference material along the lines of a VPN for Dummies >book. I need to become versed in the methods and technologies involved. Does >anybody have a good suggestion to start? Thanks. Depending on where you are in the country, you can get an excellent start on VPNs by going to VPNCON the week of Feb 19th in San Jose. http://www.vpncon.com/ In fact, if you want a totally concentrated VPN injection, there's a full-day tutorial on VPNs that Monday which will cover L2/L3/L4 VPN technologies, risks/rewards, what's good/bad about each and such. I think highly of the tutorial, and not just because I wrote much of it, but because it's been tested and taught a dozen times and has been tightly edited to cover the world of VPNs in only 8 hours. (I won't be teaching it.) My experience with reference materials is that with the exception of Dan Harkins' book, all of the VPN books are fairly weak. (I realize that I'm also saying this about my co-author Dave Kosiur, and I hope he'll forgive me) They were largely rushed to market to capitalize on the popularity of VPNs, and the state-of-the-art with VPNs had not advanced enough that a good overview treatment could be written. They are often technically wildly incorrect, not for fault of the authors, but because the standards have changed dramatically in the past year or so. On my bookshelf, I keep "IPSEC" (DHarkins/Doraswamy) as well as a copy of "Big Book of IPSEC RFCs," largely because it's a lot easier to carry around than printed copies---and my own margin notes are getting substantial. You can get those both from Amazon or FatBrain or any of the usual outlets. jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One VPN is sponsored by SecurityFocus.COM From Chris at CRCS.COM Tue Feb 6 12:48:45 2001 From: Chris at CRCS.COM (Chris Readle) Date: Tue, 6 Feb 2001 09:48:45 -0800 Subject: Sonicwall SOHO2 Message-ID: <591CFC58B726D411865700A0C9FC202F09053B@IMSWEB> I know this list tries to stay mostly vendor neutral, but I was wanting to get opinions about the Sonicwall SOHO2 product. The implementation I've used before includes a Sonicwall acting as firewall and VPN server for an NT or 2000 (mostly 2000) network, and is connected to by mostly 2000 server acting as internet gateways at remote locations either through some sort of connections sharing or via another Sonicwall/DSL solution. Any thoughts as to Good, Bad or Ugly? chris VPN is sponsored by SecurityFocus.COM From schowning at HOME.COM Tue Feb 6 12:21:21 2001 From: schowning at HOME.COM (Stephen Chowning) Date: Tue, 6 Feb 2001 09:21:21 -0800 Subject: Toe Dipping Into Turbulence References: Message-ID: <3A803291.34DF6954@home.com> woody weaver wrote: > On Monday, February 05, 2001 5:16 PM, Stephen Chowning wrote: > > > I am looking at VPN as a cost effective solution to my > > problem. I have a VERY > > small LAN (5 desktop computers) that I would like to securely > > add another computer > > to from a remote (30 miles) location. Ideally this would be a > > reasonably secure > > VPN solution that is software based that will run on Macs. I > > have read several > > FAQs, and now have several questions. > > Unfortunately, market forces imply that support for mac products is less > than for M$ products. > > This suggests stand alone appliances may be a better solution. I will never implement M$ products or standards. I'll switch to Linux first. > > > > > > 1. The LAN and the remote location has the ability to access > > the internet via > > cable modem, altthough neither is currently set up to do so. > > Could I implement a > > software only solution such as McAffee's PGP Desktop Security > > 6.5.8 for Mac w/RSA > > and avoid what so far sounds like expensive hardware? If I > > need hardware as well, > > what is the cheapest solution that would provide reasonable > > security (reasonable= > > not PPTP or anything else that Billy G. and his minions have > > their hands in). > > For the small LAN, an appliance is probably the right solution. There are > several SOHO products. I like the Netscreen 5 > (http://www.netscreen.com/products/appliances.html#ns5) although WatchGuard, > RedCreek, and others are reasonable. For the stand alone, the personal > firewall solution might be right. > > Another thing to look at is if the cable modem has (or could be exchanged > for a device) that supports IPsec. Does the average cable modem NOT support IPsec? > > > > 2. How secure would PGP Desktop Security 6.5.8 for Mac w/RSA > > be? I am afraid that > > you all are going to tell me that it may be reasonably secure > > for right now, but I > > had better stay on my toes because things change by the minute. > > What does secure mean to you? A while ago, a gentleman in Europe put a Mac server on the internet and offered (I believe) $50K for someone to hack the system in any way other than denial of service. In six months, no one was able to claim the prize. Does that mean that it was impossible to do? I doubt it. Does it mean that it was secure? To me, yes. > What are you risking? What are your assets? > What is the value? What are the threats? My guess would be that the > security of your environment is not going to revolve around the products > deployed but in the policies and procedures used to implemement and operate > the products. At risk is the trust of our customers. We market strictly via internet, so it is extremely valuable. The main assets are the customer credit card #s. If proper implementation of a double key 128 bit system via IPsec protocols is reasonably secure, then that is what I want. I would like to establish what to shoot for first, then determine what equipment will be required to make it happen. > > > My suggestion would be to use an IPsec based product (rather than PPTP) for > its general applicability and robust encryption environment. There are > various knobs you can turn to drop encryption standards in place. So your > PGP Desktop Security product, with its built in personal firewall, IDS, and > IPsec based VPN would be a sound choice. > > > > > Sincerely, > > Steve Chowning > > > > VPN is sponsored by SecurityFocus.COM > > --woody VPN is sponsored by SecurityFocus.COM From sandy at STORM.CA Tue Feb 6 15:07:33 2001 From: sandy at STORM.CA (Sandy Harris) Date: Tue, 6 Feb 2001 15:07:33 -0500 Subject: Assistance in obtaining reference material References: Message-ID: <3A805985.D9B4C0AC@storm.ca> "Wolf, Paul" wrote: > > I'm looking for any reference material along the lines of a VPN for Dummies > book. I need to become versed in the methods and technologies involved. Does > anybody have a good suggestion to start? Thanks. Reference sites: VPN Consortium http://www.vpnc.org/ This list's home page: http://kubarb.phsx.ukans.edu/~tbird/vpn.html At least one VPN implementation has all its documentation online, including glossary, bibliography, web links, ... http://www.freeswan.org/ VPN is sponsored by SecurityFocus.COM From Ole.Vik at CONNECT.NO Tue Feb 6 18:16:29 2001 From: Ole.Vik at CONNECT.NO (Ole Vik) Date: Wed, 7 Feb 2001 00:16:29 +0100 Subject: Sonicwall SOHO2 Message-ID: <916866138Ole.Vik@connect.no> It has worked fine for us. The new product line (SOHO2) has a very fast CPU making it ideal for VPN. -- Ole Vik, Connect AS, Blakstadmarka 26, 1386 Asker, Norway. Telephone +47-66 90 23 00. Telefax +47-66 90 23 05. On 6. februar 2001 18:48, Chris Readle wrote: >I know this list tries to stay mostly vendor neutral, but I was wanting to >get opinions about the Sonicwall SOHO2 product. The implementation I've >used before includes a Sonicwall acting as firewall and VPN server for an NT >or 2000 (mostly 2000) network, and is connected to by mostly 2000 server >acting as internet gateways at remote locations either through some sort of >connections sharing or via another Sonicwall/DSL solution. Any thoughts as >to Good, Bad or Ugly? > >chris > >VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From mkolasa at DOLFIN.COM Thu Feb 8 10:26:54 2001 From: mkolasa at DOLFIN.COM (Mike Kolasa) Date: Thu, 8 Feb 2001 10:26:54 -0500 Subject: Win2k VPN Services and OpenBSD VPN support Message-ID: Would you know of a good resource that contains instructions on how to setup a VPN connection between Windows 2000 Pro built in VPN services (client) and an OpenBSD system (server). I have successfuly created one using NAI's PGP 7.0.3 and would like to try using the built in VPN services of win2k pro. Thank you. Mike Kolasa Network Security Consultant DOLFIN.COM Mkolasa at Dolfin.com tel# 905.339.2323 ext. 228 fax# 905.339.2392 www.Dolfin.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010208/eb489cc1/attachment.htm From sandy at STORM.CA Thu Feb 8 22:27:51 2001 From: sandy at STORM.CA (Sandy Harris) Date: Thu, 8 Feb 2001 22:27:51 -0500 Subject: Win2k VPN Services and OpenBSD VPN support References: Message-ID: <3A8363B7.389B0B18@storm.ca> > Mike Kolasa wrote: > > Would you know of a good resource that contains instructions on how to setup a VPN connection between Windows 2000 Pro built > in VPN services (client) and an OpenBSD system (server). I have successfuly created one using NAI's PGP 7.0.3 and would like > to try using the built in VPN services of win2k pro. Thank you. > I don't know how much this will help, but the Linux FreeS/WAN interoperation document: http://www.freeswan.org/freeswan_trees/freeswan-1.8/doc/interop.html has pointers to user-written HowTos for Linux to BSD: http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html Linux to Windows 2K: http://jixen.tripod.com/ http://tirnanog.ls.fi.upm.es/CriptoLab/Biblioteca/InfTech/InfTech_CriptoLab.htm Maybe they'll have something helpful. VPN is sponsored by SecurityFocus.COM From nithinr at REDIFFMAIL.COM Sat Feb 10 07:36:16 2001 From: nithinr at REDIFFMAIL.COM (nithin rajan) Date: Sat, 10 Feb 2001 12:36:16 -0000 Subject: Help Message-ID: <20010210123616.23702.qmail@mailweb10.rediffmail.com> Is it possible to set up a VPN (using UNIX SSH or any other)with dial up connections at both ends?. _____________________________________________________ Chat with your friends as soon as they come online. Get Rediff Bol at http://bol.rediff.com VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Mon Feb 12 13:11:54 2001 From: jonc at HAHT.COM (Jon Carnes) Date: Mon, 12 Feb 2001 13:11:54 -0500 Subject: Help - Dialup to Dialup VPN References: <20010210123616.23702.qmail@mailweb10.rediffmail.com> Message-ID: <00c301c0951f$487a8e10$0b04010a@JCARNES> The easiest way to handle that would be to use a dynamic DNS server somewhere. Assuming that this is just for fun and not an actual business need - there are free DDNS's available via the web. You can also pay for the service. It's fairly inexpensive. When you dial up to the net, your box checks in with the DDNS and tells it the current address. If you were using tzo.com as your DDNS service then your box might go by the dns name of: mybox.ontheroad.tzo.com. The other box would dial in to the internet and find yours by sending a dns query for the box mybox.ontheroad.tzo.com. This would always return your current ip address - whatever it might be. Once you have a known endpoint, then the other machine can always find it. The machine running DDNS would have to be the server, the other would be a client. Under Unix/Linux you could use any number of ways to connect them. PopTop is one of the most popular. Secure Shell would work great. An alternative would be to use a newsgroup somewhere that is fairly reliable and to post the connection information. That would be tough to automate, but is doable. Have fun - Jon Carnes ----- Original Message ----- From: "nithin rajan" To: Sent: Saturday, February 10, 2001 7:36 AM Subject: Help > Is it possible to set up a VPN (using UNIX SSH or any other)with dial up connections at both ends?. > > _____________________________________________________ > Chat with your friends as soon as they come online. Get Rediff Bol at > http://bol.rediff.com > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From sharma at BANYANNETWORKS.COM Tue Feb 13 02:47:24 2001 From: sharma at BANYANNETWORKS.COM (K Anjaneya Sharma) Date: Tue, 13 Feb 2001 13:17:24 +0530 Subject: A doubt on IPSEC & NAT Message-ID: Hi Friends, I am new to VPN. I have a basic doubt with IPSEC and NAT Will IPsec and NAT work together. If so how? Can u please explain. If u have already discussed please provide me pointers for the same. Thanks Waitingfor reply withregards sharma VPN is sponsored by SecurityFocus.COM From shope at ENERGIS-EIS.CO.UK Mon Feb 12 12:06:03 2001 From: shope at ENERGIS-EIS.CO.UK (Stephen Hope) Date: Mon, 12 Feb 2001 17:06:03 -0000 Subject: Help Message-ID: <01903665B361D211BF6700805FAD5D93D9E5CC@mail.datarange.co.uk> I am assuming you mean 2 dial in connections to the Internet and each remote device has to dial in - there is no "dial out" support from your ISP..... BTW - you can get an ISP account where the ISP dials you when they have traffic to deliver - but the resulting phone bill is a major problem, since any packets to your network generate the calls, and you get the bill...... Only if you have some way to trigger the dial up links to both come up. Nothing stops you using a system like this, but it is very cumbersome - you will need some "out of band" way to co-ordinate the 2 dial ups so they happen at the same time - a phone call, another network (in which case why are you bothering with 2 * dial up), time co-ordination or some sort of dial back. Things to worry about - time zones, summer time, bank holidays, different week structures Most VPN gear assumes only 1 dial up link between the VPN encapsulation points (just like a remote access system). Why not keep it simple and just dial 1 modem from the other - you then get a point to point link? More to the point - VPNs are supposed to save money, but making lots of phone calls or tieing up people to co-ordinate computers is likely to waste a lot more than you save. Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: nithin rajan [mailto:nithinr at REDIFFMAIL.COM] > Sent: 10 February 2001 12:36 > To: VPN at SECURITYFOCUS.COM > Subject: Help > > > Is it possible to set up a VPN (using UNIX SSH or any > other)with dial up connections at both ends?. > > _____________________________________________________ > Chat with your friends as soon as they come online. Get Rediff Bol at > http://bol.rediff.com > > VPN is sponsored by SecurityFocus.COM > ----------------------------------------------------------------------------------------------------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Energis Integration Services. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. We have an anti-virus system installed on all our PC's and therefore any files leaving us via e-mail will have been checked for known viruses. Energis Integration Services accepts no responsibility once an e-mail and any attachments leave us. If you have received this email in error please notify Energis Integration Services Communications IT department on +44 (0) 1494 476222.. ----------------------------------------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.COM From Debashis.Ghosh at GEASN.GE.COM Tue Feb 13 03:39:08 2001 From: Debashis.Ghosh at GEASN.GE.COM (Ghosh, Debashis (CORP, CIM)) Date: Tue, 13 Feb 2001 16:39:08 +0800 Subject: A doubt on IPSEC & NAT Message-ID: <9D80D576D84CD411914B00508BCF749601B3485F@sin01xbasnge.geasn.ge.com> IPSEC can be of two types: AH and ESP. NAT works with ESP only.... here's how..... The IPSec Authentication Header (AH) digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, verifying the identity of the source and destination machines and the integrity of the payload. The IPSec Encapsulating Security Payload (ESP) guarantees the integrity and confidentiality of the data in the original message by combining a secure hash and encryption of either the original payload by itself, or the headers and payload of the original packet. NAT is incompatible with Authentication Header protocol, whether used in transport or tunnel mode. An IPsec VPN using AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. Why this bothers NAT is the last part: a NAT device in between the IPsec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and will complain that the hash value appended to the received packet doesn't match. The VPN device at the receiving end doesn't know about the NAT in the middle, so it assumes that the data has been altered for nefarious purposes. IPsec using Encapsulating Security Payload in tunnel mode encapsulates the entire original packet (including headers) in a new IP packet. The new IP packet's source address is the outbound address of the sending VPN gateway, and its destination address is the inbound address of the VPN device at the receiving end. When using ESP protocol with authentication, the packet contents (in this case, the entire original packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended to the packet. This mode (tunnel mode ESP with authentication) is compatible with NAT, because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device. Transport mode ESP with authentication is also compatible with NAT, but is not often used by itself. Since the hash is computed only over the original payload, original headers may be rewriten. In addition, NAT may interfere with IPSec (both ESP and AH) if it prevents the two VPN gateways from successfully negotiating SAs using ISAKMP/IKE with certificates. X.509 certificates are signed by a trusted third party (called a Certificate Authority) in order to bind a user's or device's public key to some other identifying public characteristic. Once common identifying characteristic used for VPN gateway devices is external IP address. If the two VPN gateways exchange signed certificates that bind each gateway's identity to its IP address, NAT address rewriting will cause IKE negotiation to fail. Hope this helps!! Regards and Thanks, Debashis g_________________ Debashis Ghosh VPN Product Manager - ASPAC, GE Corporate Information Management GE Towers #07-00 240 Tanjong Pagar Road, TeL:65 3263240 ; DC: 533 3240 -----Original Message----- From: K Anjaneya Sharma [mailto:sharma at BANYANNETWORKS.COM] Sent: Tuesday, February 13, 2001 3:47 PM To: VPN at SECURITYFOCUS.COM Subject: A doubt on IPSEC & NAT Hi Friends, I am new to VPN. I have a basic doubt with IPSEC and NAT Will IPsec and NAT work together. If so how? Can u please explain. If u have already discussed please provide me pointers for the same. Thanks Waitingfor reply withregards sharma VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Joel.Snyder at OPUS1.COM Tue Feb 13 11:13:33 2001 From: Joel.Snyder at OPUS1.COM (Joel M Snyder) Date: Tue, 13 Feb 2001 09:13:33 -0700 Subject: A doubt on IPSEC & NAT References: <9D80D576D84CD411914B00508BCF749601B3485F@sin01xbasnge.geasn.ge.com> Message-ID: <3A895D29.C5FED6B2@opus1.com> > > In addition, NAT may interfere with IPSec (both ESP and AH) if it prevents > the two VPN gateways from successfully negotiating SAs using ISAKMP/IKE with > certificates. X.509 certificates are signed by a trusted third party (called > a Certificate Authority) in order to bind a user's or device's public key to > some other identifying public characteristic. Once common identifying > characteristic used for VPN gateway devices is external IP address. The problem is worse than that. There are about 10 different ways in which the X.509 identity can be presented in the IKE authentication payload. IP address is one, but FQDNs are another, and if you bother to check FQDNs (many vendors don't), then the identity can still fail. Even if you use DN (type 9), which is fairly common among IPSEC vendors, you may run afoul of subfields. And this assumes you want to use certs and not something simple, like PSS. But NAT breaks things yet another way: assuming you are able to get Phase 1 up with IKE, you still have to negotiate Quick Mode. What IP address is going to go into the identification payloads for the QM SA? Each side has a different view of what the two IP addresses (or, more typically, IP address and set of IP address ranges and subnets on the gateway side) are to be protected with ESP. If those fail consistency checks or simply don't match, the QM SA might be established, but useless. The short answer is that NAT is an evil thing and while it is possible to get IPSEC going through NAT, it's a lot better to do it the other way around. jms VPN is sponsored by SecurityFocus.COM From naveedullahk at YAHOO.COM Tue Feb 13 05:44:36 2001 From: naveedullahk at YAHOO.COM (Naveedullah Khan) Date: Tue, 13 Feb 2001 02:44:36 -0800 Subject: Help regarding vpn Message-ID: <20010213104436.17435.qmail@web3407.mail.yahoo.com> Helo ppl, I have trouble implementing vpn . i mcurrently using the book " linux deployment" but i m a newbie to linux ..plz if some1 can help me regarding the basics or provide any links 4 that ===== with best regards from NAVEEDULLAH KHAN Deptt. of Computer Science Karachi University __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ VPN is sponsored by SecurityFocus.COM From robert.palmer at IPIX.COM Tue Feb 13 09:19:23 2001 From: robert.palmer at IPIX.COM (Robert G Palmer Jr) Date: Tue, 13 Feb 2001 09:19:23 -0500 Subject: SonicWall and PGPnet Message-ID: Has anyone determined if PGPnet will function with a SonicWall VPN? I have been trying to get PGPnet configured for this connectivity, but have not yet been able to obtain a connection. ----------------------------- Robert G. Palmer, Jr. Product Engineer robert.palmer at ipix.com iPIX - The Leader in Dynamic Imaging Phone: (865)-482-3000 http://www.ipix.com VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Tue Feb 13 10:43:08 2001 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Tue, 13 Feb 2001 09:43:08 -0600 Subject: IPsec and User Authentication Message-ID: Hi all -- I am in the middle of revising my VPN tutorial (the USENIX/SANS class), and in looking at the IPsec section a question has arisen. How many of you are using IPsec for remote access VPN -- that is, for replacing dial-ups for individual users, rather than site-to-site? If you are, what are you doing for user authentication? The book answers seem to be user-based digital certificates (if you've got some way to associate them with a user rather than a machine), one of the "hybrid" authentication mechanisms (XAUTH and its relatives), or some layering of IPsec with protocols like PPTP or L2TP (which include "traditional" user authentication support). But I'm curious to see what people who are really >doing< it are doing. Thanks for any info. For those who are curious, I will post results to the list -- and if you really want to get the gorey details, I'll be teaching the class at SANS in Baltimore in May. cheers -- tbird VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Tue Feb 13 10:51:01 2001 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Tue, 13 Feb 2001 09:51:01 -0600 Subject: A doubt on IPSEC & NAT In-Reply-To: <3A895D29.C5FED6B2@opus1.com> Message-ID: NAT causes another problem with IKE, as some unfortunately souls trying to use VPN clients behind a firewall have discovered. If you're behind a machine doing address translation that also modifies the source port of your IKE packet, it won't be recognized by the IKE server. For some reason that I've never understood, IKE expects source and destination port to be UDP 500, not just destination port like most of the other services out there. So even if you managed to disable all the mechanisms which check for header consistency in the IPsec communications, you'd still be in trouble. I agree with Joel -- NAT is evil, but man! given the large number of places I'm stuck using it, it would be nice to have a little more flexibility in the IPsec protocols. cheers -- tbird On Tue, 13 Feb 2001, Joel M Snyder wrote: > Date: Tue, 13 Feb 2001 09:13:33 -0700 > From: Joel M Snyder > To: VPN at SECURITYFOCUS.COM > Subject: Re: A doubt on IPSEC & NAT > > > > > In addition, NAT may interfere with IPSec (both ESP and AH) if it prevents > > the two VPN gateways from successfully negotiating SAs using ISAKMP/IKE with > > certificates. X.509 certificates are signed by a trusted third party (called > > a Certificate Authority) in order to bind a user's or device's public key to > > some other identifying public characteristic. Once common identifying > > characteristic used for VPN gateway devices is external IP address. > > The problem is worse than that. There are about 10 different ways in > which the X.509 identity can be presented in the IKE authentication > payload. IP address is one, but FQDNs are another, and if you bother to > check FQDNs (many vendors don't), then the identity can still fail. > Even if you use DN (type 9), which is fairly common among IPSEC vendors, > you may run afoul of subfields. > > And this assumes you want to use certs and not something simple, like > PSS. > > But NAT breaks things yet another way: assuming you are able to get > Phase 1 up with IKE, you still have to negotiate Quick Mode. What IP > address is going to go into the identification payloads for the QM SA? > Each side has a different view of what the two IP addresses (or, more > typically, IP address and set of IP address ranges and subnets on the > gateway side) are to be protected with ESP. If those fail consistency > checks or simply don't match, the QM SA might be established, but useless. > > The short answer is that NAT is an evil thing and while it is possible > to get IPSEC going through NAT, it's a lot better to do it the other way around. > > jms > > VPN is sponsored by SecurityFocus.COM > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM From Ole.Vik at CONNECT.NO Tue Feb 13 12:23:42 2001 From: Ole.Vik at CONNECT.NO (Ole Vik) Date: Tue, 13 Feb 2001 18:23:42 +0100 Subject: SonicWall and PGPnet Message-ID: <917449772Ole.Vik@connect.no> Yes, it works with firmware 6.0 due out any day soon. -- Ole Vik, Connect AS, Blakstadmarka 26, 1386 Asker, Norway. Telephone +47-66 90 23 00. Telefax +47-66 90 23 05. On 13. februar 2001 15:19, Robert G Palmer Jr wrote: >Has anyone determined if PGPnet will function with a SonicWall VPN? >I have been trying to get PGPnet configured for this connectivity, but have >not yet been able to obtain a connection. > > ----------------------------- >Robert G. Palmer, Jr. >Product Engineer >robert.palmer at ipix.com >iPIX - The Leader in Dynamic Imaging >Phone: (865)-482-3000 >http://www.ipix.com > >VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From cgripp at AXCELERANT.COM Tue Feb 13 12:46:43 2001 From: cgripp at AXCELERANT.COM (Christopher S. Gripp) Date: Tue, 13 Feb 2001 09:46:43 -0800 Subject: IPsec and User Authentication In-Reply-To: Message-ID: RADIUS to an RSA Secure server using 2 phase auth. in most cases. Christopher S. Gripp Systems Engineer Axcelerant Connecting Everyone In Your Business World Visit us @ http://www.axcelerant.com -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Tina Bird Sent: Tuesday, February 13, 2001 7:43 AM To: VPN at SECURITYFOCUS.COM Subject: IPsec and User Authentication Hi all -- I am in the middle of revising my VPN tutorial (the USENIX/SANS class), and in looking at the IPsec section a question has arisen. How many of you are using IPsec for remote access VPN -- that is, for replacing dial-ups for individual users, rather than site-to-site? If you are, what are you doing for user authentication? The book answers seem to be user-based digital certificates (if you've got some way to associate them with a user rather than a machine), one of the "hybrid" authentication mechanisms (XAUTH and its relatives), or some layering of IPsec with protocols like PPTP or L2TP (which include "traditional" user authentication support). But I'm curious to see what people who are really >doing< it are doing. Thanks for any info. For those who are curious, I will post results to the list -- and if you really want to get the gorey details, I'll be teaching the class at SANS in Baltimore in May. cheers -- tbird VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Ole.Vik at CONNECT.NO Tue Feb 13 16:29:55 2001 From: Ole.Vik at CONNECT.NO (Ole Vik) Date: Tue, 13 Feb 2001 22:29:55 +0100 Subject: IPsec and User Authentication Message-ID: <917464544Ole.Vik@connect.no> We are selling SonicWALLs and we use Radius for user validation/authenication. Mostly SecurID with their cards. This is a very easy implementation and scales well, if needed. -- Ole Vik, Connect AS, Blakstadmarka 26, 1386 Asker, Norway. Telephone +47-66 90 23 00. Telefax +47-66 90 23 05. On 13. februar 2001 16:43, Tina Bird wrote: >Hi all -- > >I am in the middle of revising my VPN tutorial (the >USENIX/SANS class), and in looking at the IPsec >section a question has arisen. > >How many of you are using IPsec for remote access >VPN -- that is, for replacing dial-ups for individual >users, rather than site-to-site? If you are, what >are you doing for user authentication? > >The book answers seem to be user-based digital >certificates (if you've got some way to associate >them with a user rather than a machine), one of the >"hybrid" authentication mechanisms (XAUTH and its >relatives), or some layering of IPsec with protocols >like PPTP or L2TP (which include "traditional" user >authentication support). But I'm curious to see >what people who are really >doing< it are doing. > >Thanks for any info. For those who are curious, >I will post results to the list -- and if you really >want to get the gorey details, I'll be teaching the >class at SANS in Baltimore in May. > >cheers -- tbird > >VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html >life: http://kubarb.phsx.ukans.edu/~tbird >work: http://www.counterpane.com > >VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From nvakhari at HOTJOBS.COM Tue Feb 13 16:47:10 2001 From: nvakhari at HOTJOBS.COM (Nimesh Vakharia) Date: Tue, 13 Feb 2001 16:47:10 -0500 Subject: A doubt on IPSEC & NAT In-Reply-To: Message-ID: there was some talk on adding a UDP header on top of the ESP header to support port translation. In theory for IKE negotiatoin we could do a similar thing and get around it. Is there any work being done to make the UDP encapsulation a standard feature? What do people think about it? The drawback is a lack of full duplex access to the site doing port translation but u really don't really need it. I don't think anything would break in this scenario again assuming u'r using pss... NAT can be considered an evil thing or a cool hack, but then again we can go back and forth about it for centuries. ;) Nimesh. On Tue, 13 Feb 2001, Tina Bird wrote: > NAT causes another problem with IKE, as some unfortunately > souls trying to use VPN clients behind a firewall have > discovered. > > If you're behind a machine doing address translation that > also modifies the source port of your IKE packet, it won't > be recognized by the IKE server. For some reason that I've > never understood, IKE expects source and destination port to > be UDP 500, not just destination port like most of the other > services out there. So even if you managed to disable all > the mechanisms which check for header consistency in the > IPsec communications, you'd still be in trouble. > > I agree with Joel -- NAT is evil, but man! given the large > number of places I'm stuck using it, it would be nice to have > a little more flexibility in the IPsec protocols. > > cheers -- tbird > > On Tue, 13 Feb 2001, Joel M Snyder wrote: > > > Date: Tue, 13 Feb 2001 09:13:33 -0700 > > From: Joel M Snyder > > To: VPN at SECURITYFOCUS.COM > > Subject: Re: A doubt on IPSEC & NAT > > > > > > > > In addition, NAT may interfere with IPSec (both ESP and AH) if it prevents > > > the two VPN gateways from successfully negotiating SAs using ISAKMP/IKE with > > > certificates. X.509 certificates are signed by a trusted third party (called > > > a Certificate Authority) in order to bind a user's or device's public key to > > > some other identifying public characteristic. Once common identifying > > > characteristic used for VPN gateway devices is external IP address. > > > > The problem is worse than that. There are about 10 different ways in > > which the X.509 identity can be presented in the IKE authentication > > payload. IP address is one, but FQDNs are another, and if you bother to > > check FQDNs (many vendors don't), then the identity can still fail. > > Even if you use DN (type 9), which is fairly common among IPSEC vendors, > > you may run afoul of subfields. > > > > And this assumes you want to use certs and not something simple, like > > PSS. > > > > But NAT breaks things yet another way: assuming you are able to get > > Phase 1 up with IKE, you still have to negotiate Quick Mode. What IP > > address is going to go into the identification payloads for the QM SA? > > Each side has a different view of what the two IP addresses (or, more > > typically, IP address and set of IP address ranges and subnets on the > > gateway side) are to be protected with ESP. If those fail consistency > > checks or simply don't match, the QM SA might be established, but useless. > > > > The short answer is that NAT is an evil thing and while it is possible > > to get IPSEC going through NAT, it's a lot better to do it the other way around. > > > > jms > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > life: http://kubarb.phsx.ukans.edu/~tbird > work: http://www.counterpane.com > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Wed Feb 14 01:38:47 2001 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Wed, 14 Feb 2001 00:38:47 -0600 Subject: Microsoft Security Bulletin MS01-009 (fwd) Message-ID: VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com ---------- Forwarded message ---------- Date: Tue, 13 Feb 2001 12:01:13 -0800 From: Microsoft Product Security To: BUGTRAQ at SECURITYFOCUS.COM Subject: Microsoft Security Bulletin MS01-009 The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Patch Available for "Malformed PPTP Packet Stream" Vulnerability Date: 13 February 2001 Software: Windows NT 4.0 servers running PPTP Impact: Denial of service Bulletin: MS01-009 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-009.asp. - ---------------------------------------------------------------------- Issue: ====== The PPTP service in Windows NT 4.0 has a flaw in a part of the code that handles a particular type of data packet, which results in a leak of kernel memory. If a sufficient number of packets containing a specific malformation were received by an affected server, kernel memory would eventually become exhausted. The likely outcome would be that the server would either hang or fail altogether. In either case, the machine would need to be rebooted to restore normal operation, and any PPTP sessions underway at the time would be lost. It would not be necessary for the attacker to establish a valid PPTP session in order to exploit the vulnerability. Mitigating Factors: ==================== - The vulnerability does not threaten the security of data within PPTP sessions -- it is strictly a denial of service vulnerability. - Only Windows NT 4.0 machines running the PPTP service are at risk. The service does not run by default. - The Windows 2000 PPTP service is not affected by the vulnerability. Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-009.asp for information on obtaining this patch. Acknowledgment: =============== - Kirk Corey of Diversified Software Industries, Inc. (www.dsi-inc.net) - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOomSeo0ZSRQxA/UrAQEciwf/a6hH3dCeDNjzohPMkiyYcWjG1xMR7tZ8 46er4RrKpH24Gf7x5Oy9YLu3sY3S3Ga+bKh7f3Rku8RJQq92tGU7tBFoW9/w4Ini oz2Q5035Hh8aGZBHW6d9OmOpGKh8OAROTjCDyoyaj2WWFHh28XHowQ+OWyTAWbec aZlXMmOCuT+BJBjHSt++wkoPufaFJPCkggXilMHGnraWhEYR6bYxxumqCdEQXNhU nVrzj0RX3DWAfj/kj3SGPVskGay5s8sOLLji/Hhr6Va+tMlS/Aa7ZJ/oZ7tlQIdg yi8HO1Q+0NyARnc+i5RmuNpWRpfb46o0hht//F5nv6jM1cjyar0uAA== =XupL -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST at ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. VPN is sponsored by SecurityFocus.COM From aasenov at YAHOO.COM Tue Feb 13 13:29:57 2001 From: aasenov at YAHOO.COM (Asen Asenov) Date: Tue, 13 Feb 2001 10:29:57 -0800 Subject: VPN history In-Reply-To: Message-ID: <20010213182957.17088.qmail@web704.mail.yahoo.com> Hello there, I need some information about the history of VPN, and I was wonder do you can provide such to me. I am a student at University of Nebraska at Omaha and I need this information regarding one of my course researches. Thank you in advance for your contribution. Sincerely, Asen Milkov __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ VPN is sponsored by SecurityFocus.COM From ifox100 at HOTMAIL.COM Tue Feb 13 19:30:22 2001 From: ifox100 at HOTMAIL.COM (Ivan Fox) Date: Tue, 13 Feb 2001 19:30:22 -0500 Subject: Can I setup a VPN this way? Message-ID: There are 3 sites in serial, i.e., A -> B -> C. Each site has a Check Point VPN-1. They are connected using leased E1 lines. Can a VPN start at site A and terminate at site C? Each site has its own network id! Any comments are appreciated. By the way, can a VLAN (lay 3) also provide "security"? Any pointers/comments are welcome. Ivan VPN is sponsored by SecurityFocus.COM From robert.palmer at IPIX.COM Tue Feb 13 14:57:10 2001 From: robert.palmer at IPIX.COM (Robert G Palmer Jr) Date: Tue, 13 Feb 2001 14:57:10 -0500 Subject: A doubt on IPSEC & NAT In-Reply-To: <3A895D29.C5FED6B2@opus1.com> Message-ID: What exactly do you mean by "it's a lot better to do it the other way around" - NAT through IPSEC? on 2/13/01 11:13 AM, Joel M Snyder at Joel.Snyder at OPUS1.COM wrote: > The short answer is that NAT is an evil thing and while it is possible > to get IPSEC going through NAT, it's a lot better to do it the other way > around. ----------------------------- Robert G. Palmer, Jr. Product Engineer robert.palmer at ipix.com iPIX - The Leader in Dynamic Imaging Phone: (865)-482-3000 http://www.ipix.com VPN is sponsored by SecurityFocus.COM From cdupuis at CCCURE.ORG Tue Feb 13 13:36:09 2001 From: cdupuis at CCCURE.ORG (=?us-ascii?Q?Clement_Dupuis?=) Date: Tue, 13 Feb 2001 13:36:09 -0500 Subject: A doubt on IPSEC & NAT In-Reply-To: Message-ID: Good day Tina, I have seen multiple devices, more specifically DSL routers such as Nexland that annonce DSL passthrough up to 100 clients. Have you been using such a device and do they really allow IPSEC through Thanks Clement > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Tina > Bird > Sent: 13 fevrier, 2001 10:51 > To: VPN at SECURITYFOCUS.COM > Subject: Re: A doubt on IPSEC & NAT > > > NAT causes another problem with IKE, as some unfortunately > souls trying to use VPN clients behind a firewall have > discovered. > > If you're behind a machine doing address translation that > also modifies the source port of your IKE packet, it won't > be recognized by the IKE server. For some reason that I've > never understood, IKE expects source and destination port to > be UDP 500, not just destination port like most of the other > services out there. So even if you managed to disable all > the mechanisms which check for header consistency in the > IPsec communications, you'd still be in trouble. > > I agree with Joel -- NAT is evil, but man! given the large > number of places I'm stuck using it, it would be nice to have > a little more flexibility in the IPsec protocols. > > cheers -- tbird > > On Tue, 13 Feb 2001, Joel M Snyder wrote: > > > Date: Tue, 13 Feb 2001 09:13:33 -0700 > > From: Joel M Snyder > > To: VPN at SECURITYFOCUS.COM > > Subject: Re: A doubt on IPSEC & NAT > > > > > > > > In addition, NAT may interfere with IPSec (both ESP and AH) > if it prevents > > > the two VPN gateways from successfully negotiating SAs using > ISAKMP/IKE with > > > certificates. X.509 certificates are signed by a trusted > third party (called > > > a Certificate Authority) in order to bind a user's or > device's public key to > > > some other identifying public characteristic. Once common identifying > > > characteristic used for VPN gateway devices is external IP address. > > > > The problem is worse than that. There are about 10 different ways in > > which the X.509 identity can be presented in the IKE authentication > > payload. IP address is one, but FQDNs are another, and if you bother to > > check FQDNs (many vendors don't), then the identity can still fail. > > Even if you use DN (type 9), which is fairly common among IPSEC vendors, > > you may run afoul of subfields. > > > > And this assumes you want to use certs and not something simple, like > > PSS. > > > > But NAT breaks things yet another way: assuming you are able to get > > Phase 1 up with IKE, you still have to negotiate Quick Mode. What IP > > address is going to go into the identification payloads for the QM SA? > > Each side has a different view of what the two IP addresses (or, more > > typically, IP address and set of IP address ranges and subnets on the > > gateway side) are to be protected with ESP. If those fail consistency > > checks or simply don't match, the QM SA might be established, > but useless. > > > > The short answer is that NAT is an evil thing and while it is possible > > to get IPSEC going through NAT, it's a lot better to do it the > other way around. > > > > jms > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > life: http://kubarb.phsx.ukans.edu/~tbird > work: http://www.counterpane.com > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM From cgripp at AXCELERANT.COM Tue Feb 13 17:50:31 2001 From: cgripp at AXCELERANT.COM (Christopher S. Gripp) Date: Tue, 13 Feb 2001 14:50:31 -0800 Subject: A doubt on IPSEC & NAT In-Reply-To: <3A895D29.C5FED6B2@opus1.com> Message-ID: Anyone worked with the new Linksys etherfast routers that have IPSec passthrough. We have and they owrk great but I am still trying to understand HOW they actually work without screwing up the AH checksum!?! Christopher S. Gripp Systems Engineer Axcelerant Connecting Everyone In Your Business World Visit us @ http://www.axcelerant.com -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Joel M Snyder Sent: Tuesday, February 13, 2001 8:14 AM To: VPN at SECURITYFOCUS.COM Subject: Re: A doubt on IPSEC & NAT > > In addition, NAT may interfere with IPSec (both ESP and AH) if it prevents > the two VPN gateways from successfully negotiating SAs using ISAKMP/IKE with > certificates. X.509 certificates are signed by a trusted third party (called > a Certificate Authority) in order to bind a user's or device's public key to > some other identifying public characteristic. Once common identifying > characteristic used for VPN gateway devices is external IP address. The problem is worse than that. There are about 10 different ways in which the X.509 identity can be presented in the IKE authentication payload. IP address is one, but FQDNs are another, and if you bother to check FQDNs (many vendors don't), then the identity can still fail. Even if you use DN (type 9), which is fairly common among IPSEC vendors, you may run afoul of subfields. And this assumes you want to use certs and not something simple, like PSS. But NAT breaks things yet another way: assuming you are able to get Phase 1 up with IKE, you still have to negotiate Quick Mode. What IP address is going to go into the identification payloads for the QM SA? Each side has a different view of what the two IP addresses (or, more typically, IP address and set of IP address ranges and subnets on the gateway side) are to be protected with ESP. If those fail consistency checks or simply don't match, the QM SA might be established, but useless. The short answer is that NAT is an evil thing and while it is possible to get IPSEC going through NAT, it's a lot better to do it the other way around. jms VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From bhaney at SATEL.COM Tue Feb 13 12:05:30 2001 From: bhaney at SATEL.COM (BHaney) Date: Tue, 13 Feb 2001 10:05:30 -0700 Subject: IPsec and User Authentication In-Reply-To: Message-ID: As a consultant, I've set it up with a variety of different authentication policies. But usually people want something that is low administration and transparent. Most travelling sales people or the CEO who wants to VPN in from home don't want to deal with the problems associated with extensive authentication. Mainly, I've used Cisco based VPN technologies (router/PIX and 3000 concentrator). The best choice for authentication is the 3000 concentrator. You can have it authenticate directly to an NT database or tacacs server. Perfect. However, it can be very expensive. As for authenticating the clients that terminate at a router or VPN, most implementations that I have seen/done have been simply pre-shared keys with either a local username and password at the PIX or router or a Tacacs server. People choose this over certs and other authentication methods because it is easy to deploy in a large-scale. Simply export/import the client policy to a new machine, etc. I've worked with quite a few reputable companies and you would be surprised at how lax the security is simply because they don't want the hassle of synchronizing databases, etc. That's my experience. -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Tina Bird Sent: Tuesday, February 13, 2001 8:43 AM To: VPN at SECURITYFOCUS.COM Subject: IPsec and User Authentication Hi all -- I am in the middle of revising my VPN tutorial (the USENIX/SANS class), and in looking at the IPsec section a question has arisen. How many of you are using IPsec for remote access VPN -- that is, for replacing dial-ups for individual users, rather than site-to-site? If you are, what are you doing for user authentication? The book answers seem to be user-based digital certificates (if you've got some way to associate them with a user rather than a machine), one of the "hybrid" authentication mechanisms (XAUTH and its relatives), or some layering of IPsec with protocols like PPTP or L2TP (which include "traditional" user authentication support). But I'm curious to see what people who are really >doing< it are doing. Thanks for any info. For those who are curious, I will post results to the list -- and if you really want to get the gorey details, I'll be teaching the class at SANS in Baltimore in May. cheers -- tbird VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From lists at FIPS.DE Wed Feb 14 00:35:57 2001 From: lists at FIPS.DE (Philipp Buehler) Date: Wed, 14 Feb 2001 06:35:57 +0100 Subject: A doubt on IPSEC & NAT In-Reply-To: <3A895D29.C5FED6B2@opus1.com>; "Joel M Snyder" on 13.02.2001 @ 17:13:33 MET References: <9D80D576D84CD411914B00508BCF749601B3485F@sin01xbasnge.geasn.ge.com> <3A895D29.C5FED6B2@opus1.com> Message-ID: <20010214063557.B7864@pohl.fips.de> On 13/02/2001, Joel M Snyder wrote To VPN at SECURITYFOCUS.COM: > The problem is worse than that. There are about 10 different ways in > which the X.509 identity can be presented in the IKE authentication > payload. IP address is one, but FQDNs are another, and if you bother to > check FQDNs (many vendors don't), then the identity can still fail. > Even if you use DN (type 9), which is fairly common among IPSEC vendors, > you may run afoul of subfields. Beat the vendor or, if possible, change product (maybe one side is enough :>) > But NAT breaks things yet another way: assuming you are able to get > Phase 1 up with IKE, you still have to negotiate Quick Mode. What IP > address is going to go into the identification payloads for the QM SA? Two thoughts: - NAT incoming packets for their source address before/on the gate - Aggressive mode ? > The short answer is that NAT is an evil thing and while it is possible > to get IPSEC going through NAT, it's a lot better to do it the other way around. Redesign of existing networks is, uhm, not always an option. Pick an appropriate software to handle certs correctly, or other concepts. Yes, people buy and then start to run into problems (with NAT and other stuff). But this is bad planning and not a problem of NAT or IPSec. ciao -- Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | #1: Break the clue barrier! #2: Already had buzzword confuseritis ? VPN is sponsored by SecurityFocus.COM From chris_barker at WESTLB.CO.JP Tue Feb 13 23:01:32 2001 From: chris_barker at WESTLB.CO.JP (Chris Barker) Date: Wed, 14 Feb 2001 13:01:32 +0900 Subject: IPsec and User Authentication Message-ID: <492569F3.001579AC.00@tky-notes-03.westlb.co.jp> Hi all, We're using VPN to replace dialup. We use a two factor authentication system, X.509 certs authenticate client systems while we use SecureID tokens to authenticate users with XAUTH. Chris Barker APAC Regional IT Security Officer WestLB Systems, Tokyo Branch chris_barker at westlb.co.jp Tina Bird on 02/14/2001 12:43:08 AM Please respond to Tina Bird From Isabel.Schmitt at WEB.DE Wed Feb 14 04:30:46 2001 From: Isabel.Schmitt at WEB.DE (Isabel Schmitt) Date: Wed, 14 Feb 2001 10:30:46 +0100 Subject: Advantages / Disadvantages VPN - Solutions Message-ID: <200102140930.f1E9Uko19221@mailgate3.cinetic.de> Hello everybody, I'm a student and have to make a research about the advantages and disadvantages of the different VPN solutions. The solutions I have to investigate are: - dedicated VPN - Software - Firewall + Encryption - Router + Software - dedicated VPN Hardware Thanks in advance. I.Schmitt _______________________________________________________________________________ Alles unter einem Dach: Informationen, Fun, E-Mails. Bei WEB.DE: http://web.de Die gro?e Welt der Kommunikation: E-Mail, Fax, SMS, WAP: http://freemail.web.de VPN is sponsored by SecurityFocus.COM From Hugo at MICMAC.COM.BR Wed Feb 14 05:36:02 2001 From: Hugo at MICMAC.COM.BR (Hugo Caye) Date: Wed, 14 Feb 2001 08:36:02 -0200 Subject: A doubt on IPSEC & NAT Message-ID: There is an interesting article titled "The Trouble with NAT" (by Lisa Phifer) at: . Interesting because it give us a NAT's overview and explains why IPSec and NAT shouldn't (and some times can) work. -----Original Message----- From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM] Sent: ter?a-feira, 13 de fevereiro de 2001 13:51 To: VPN at SECURITYFOCUS.COM Subject: Re: A doubt on IPSEC & NAT NAT causes another problem with IKE, as some unfortunately souls trying to use VPN clients behind a firewall have discovered. If you're behind a machine doing address translation that also modifies the source port of your IKE packet, it won't be recognized by the IKE server. For some reason that I've never understood, IKE expects source and destination port to be UDP 500, not just destination port like most of the other services out there. So even if you managed to disable all the mechanisms which check for header consistency in the IPsec communications, you'd still be in trouble. I agree with Joel -- NAT is evil, but man! given the large number of places I'm stuck using it, it would be nice to have a little more flexibility in the IPsec protocols. cheers -- tbird On Tue, 13 Feb 2001, Joel M Snyder wrote: > Date: Tue, 13 Feb 2001 09:13:33 -0700 > From: Joel M Snyder > To: VPN at SECURITYFOCUS.COM > Subject: Re: A doubt on IPSEC & NAT > > > > > In addition, NAT may interfere with IPSec (both ESP and AH) if it prevents > > the two VPN gateways from successfully negotiating SAs using ISAKMP/IKE with > > certificates. X.509 certificates are signed by a trusted third party (called > > a Certificate Authority) in order to bind a user's or device's public key to > > some other identifying public characteristic. Once common identifying > > characteristic used for VPN gateway devices is external IP address. > > The problem is worse than that. There are about 10 different ways in > which the X.509 identity can be presented in the IKE authentication > payload. IP address is one, but FQDNs are another, and if you bother to > check FQDNs (many vendors don't), then the identity can still fail. > Even if you use DN (type 9), which is fairly common among IPSEC vendors, > you may run afoul of subfields. > > And this assumes you want to use certs and not something simple, like > PSS. > > But NAT breaks things yet another way: assuming you are able to get > Phase 1 up with IKE, you still have to negotiate Quick Mode. What IP > address is going to go into the identification payloads for the QM SA? > Each side has a different view of what the two IP addresses (or, more > typically, IP address and set of IP address ranges and subnets on the > gateway side) are to be protected with ESP. If those fail consistency > checks or simply don't match, the QM SA might be established, but useless. > > The short answer is that NAT is an evil thing and while it is possible > to get IPSEC going through NAT, it's a lot better to do it the other way around. > > jms > > VPN is sponsored by SecurityFocus.COM > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From rick_smith at SECURECOMPUTING.COM Wed Feb 14 09:57:37 2001 From: rick_smith at SECURECOMPUTING.COM (Rick Smith at Secure Computing) Date: Wed, 14 Feb 2001 08:57:37 -0600 Subject: VPN history In-Reply-To: <20010213182957.17088.qmail@web704.mail.yahoo.com> References: Message-ID: <4.3.2.7.0.20010214084347.01f33650@posey.sctc.com> At 12:29 PM 2/13/01, you wrote: >Hello there, >I need some information about the history of VPN, and >I was wonder do you can provide such to me. Okay, so what is a "VPN" for the purposes of this history? Presumably it's something more than point to point link encryption. If so, then the 'first' is probably the Private Line Interfaces put on the old ARPANET in the '70s. It ran ARPANET host traffic through an NSA link encryptor and then pasted the result into regular host-to-host messages for normal handling by the network. I suppose the 'next' thing was Blacker, and then SDNS, which ultimately begat IPSEC. Somewhere in there we have the independent evolution of PC things like PPTP. I'm not sure what the first commercial VPN product was, but it might have been HannaH, which was based on SDNS. For references and details, look at old NCSC and NISSC conference proceedings. They've got papers on just about all of those things. The IEEE Oakland Security and Privacy conference may have a few things, too. Rick. smith at securecomputing.com VPN is sponsored by SecurityFocus.COM From mep at NETSEC.NET Wed Feb 14 10:21:52 2001 From: mep at NETSEC.NET (matthew patton) Date: Wed, 14 Feb 2001 10:21:52 -0500 Subject: IPSec solutions for Solaris 2.7 or 2.8 In-Reply-To: Message-ID: I haven't been able to find a good answer to this yet. Solaris8 comes with some ipsec features via ipsecconf(1) and ipseckey(1) but from what I can gather all it supports is manual keying and potentially having to store sensitive crypto keys on disk. Is there no built-in or 3rd party VPN solution for Solaris (sparc or intel) that does full IKE/ISAKMP? ie. automatic phase1/phase2 keying like FreeS/wan, Openbsd, and any of the dozen windows/mac based clients do? I find it hard to believe that Sun could be this far behind the curve... -- Network Security Technologies Inc. - Commercial support for OpenBSD www.netsec.net (703) 561-0420 matthew.patton at netsec.net "Government is not reason; it is not eloquence; it is force! Like fire, it is a dangerous servant and a fearful master." - George Washington VPN is sponsored by SecurityFocus.COM From shope at ENERGIS-EIS.CO.UK Wed Feb 14 05:37:24 2001 From: shope at ENERGIS-EIS.CO.UK (Stephen Hope) Date: Wed, 14 Feb 2001 10:37:24 -0000 Subject: IPsec and User Authentication Message-ID: <01903665B361D211BF6700805FAD5D93D9E5DB@mail.datarange.co.uk> Majority of the ones i come across use L2F or L2TP, and RADIUS authentication at the customer site. Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Christopher S. Gripp [mailto:cgripp at AXCELERANT.COM] > Sent: 13 February 2001 17:47 > To: VPN at SECURITYFOCUS.COM > Subject: Re: IPsec and User Authentication > > > RADIUS to an RSA Secure server using 2 phase auth. in most cases. > > Christopher S. Gripp > Systems Engineer > Axcelerant > Connecting Everyone In Your Business World > Visit us @ http://www.axcelerant.com > > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Tina > Bird > Sent: Tuesday, February 13, 2001 7:43 AM > To: VPN at SECURITYFOCUS.COM > Subject: IPsec and User Authentication > > > Hi all -- > > I am in the middle of revising my VPN tutorial (the > USENIX/SANS class), and in looking at the IPsec > section a question has arisen. > > How many of you are using IPsec for remote access > VPN -- that is, for replacing dial-ups for individual > users, rather than site-to-site? If you are, what > are you doing for user authentication? > > The book answers seem to be user-based digital > certificates (if you've got some way to associate > them with a user rather than a machine), one of the > "hybrid" authentication mechanisms (XAUTH and its > relatives), or some layering of IPsec with protocols > like PPTP or L2TP (which include "traditional" user > authentication support). But I'm curious to see > what people who are really >doing< it are doing. > > Thanks for any info. For those who are curious, > I will post results to the list -- and if you really > want to get the gorey details, I'll be teaching the > class at SANS in Baltimore in May. > > cheers -- tbird > > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > life: http://kubarb.phsx.ukans.edu/~tbird > work: http://www.counterpane.com > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > ----------------------------------------------------------------------------------------------------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Energis Integration Services. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. We have an anti-virus system installed on all our PC's and therefore any files leaving us via e-mail will have been checked for known viruses. Energis Integration Services accepts no responsibility once an e-mail and any attachments leave us. If you have received this email in error please notify Energis Integration Services Communications IT department on +44 (0) 1494 476222.. ----------------------------------------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.COM From shope at ENERGIS-EIS.CO.UK Wed Feb 14 06:02:27 2001 From: shope at ENERGIS-EIS.CO.UK (Stephen Hope) Date: Wed, 14 Feb 2001 11:02:27 -0000 Subject: Can I setup a VPN this way? Message-ID: <01903665B361D211BF6700805FAD5D93D9E5DC@mail.datarange.co.uk> The short answer is "it depends". If the WAN connections are between routers (typical case), then what you have is a "cloud" with 3 firewall / vpn bixes attached to it. The logical and physical topologies in the cloud are separated, and you can define the tunnels anyway you want between the VPN boxes. It is common practise to have VPN and firewall kit with Ethernet - Ethernet connections, so you would need separate WAN hardware (routers). If you are using serial interfaces on the checkpoint stuff (i have only ever seen this mentioned on the Nokia checkpoint hardware, and it seems pretty rare in that environment) and have a combined firewall / VPN system then life gets more complicated - you will probably need to define some rules to pass the traffic "through" at the central site. Since it sounds like a private network, you should be able to avoid NAT...... If all you have is Checkpoint VPN, no firewall, then i dont have an answer for you (i have always ended up with the firewalls, so i dont have the info). Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Ivan Fox [mailto:ifox100 at HOTMAIL.COM] > Sent: 14 February 2001 00:30 > To: VPN at SECURITYFOCUS.COM > Subject: Can I setup a VPN this way? > > > There are 3 sites in serial, i.e., A -> B -> C. Each site > has a Check Point > VPN-1. They are connected using leased E1 lines. > > Can a VPN start at site A and terminate at site C? Each site > has its own > network id! > > Any comments are appreciated. > > By the way, can a VLAN (lay 3) also provide "security"? > > Any pointers/comments are welcome. > > Ivan > > VPN is sponsored by SecurityFocus.COM > ----------------------------------------------------------------------------------------------------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Energis Integration Services. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. We have an anti-virus system installed on all our PC's and therefore any files leaving us via e-mail will have been checked for known viruses. Energis Integration Services accepts no responsibility once an e-mail and any attachments leave us. If you have received this email in error please notify Energis Integration Services Communications IT department on +44 (0) 1494 476222.. ----------------------------------------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.COM From Rinie.vanHaperen at NL.ORIGIN-IT.COM Wed Feb 14 09:01:29 2001 From: Rinie.vanHaperen at NL.ORIGIN-IT.COM (van Haperen, Rinie) Date: Wed, 14 Feb 2001 15:01:29 +0100 Subject: IPsec and User Authentication Message-ID: <986AEA765305D311AA7B0008C75D97AF059A6021@nlehx020.ehvvan.nl.origin-it.com> We use RADIUS in combination with RSA SecurID. This enables us also to use both VPN and 'old fashioned' modem dial-in in combination for our 10000 remote users. Btw we use the Intel VPN Gateway (former Shiva). Rinie van Haperen Atos Origin The Netherlands -----Original Message----- From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM] Sent: Tuesday, February 13, 2001 4:43 PM To: VPN at SECURITYFOCUS.COM Subject: IPsec and User Authentication Hi all -- I am in the middle of revising my VPN tutorial (the USENIX/SANS class), and in looking at the IPsec section a question has arisen. How many of you are using IPsec for remote access VPN -- that is, for replacing dial-ups for individual users, rather than site-to-site? If you are, what are you doing for user authentication? The book answers seem to be user-based digital certificates (if you've got some way to associate them with a user rather than a machine), one of the "hybrid" authentication mechanisms (XAUTH and its relatives), or some layering of IPsec with protocols like PPTP or L2TP (which include "traditional" user authentication support). But I'm curious to see what people who are really >doing< it are doing. Thanks for any info. For those who are curious, I will post results to the list -- and if you really want to get the gorey details, I'll be teaching the class at SANS in Baltimore in May. cheers -- tbird VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Wed Feb 14 15:06:48 2001 From: dgillett at NIKU.COM (David Gillett) Date: Wed, 14 Feb 2001 12:06:48 -0800 Subject: IPsec and User Authentication In-Reply-To: Message-ID: <002e01c096c1$aa2c7a30$f30410ac@niku.com> > Mainly, I've used Cisco based VPN technologies (router/PIX and 3000 > concentrator). The best choice for authentication is the 3000 concentrator. > You can have it authenticate directly to an NT database or tacacs server. > Perfect. However, it can be very expensive. Authenticating against NT was one of the things that attracted us to the 3000. The bulk of our users find two account/password combinations taxing, and 3 or 4 would simply be impractical to support. [Yes, I know that different passwords on different systems should limit the scope of an account compromise, but real-world users see our network as one "system"....] Although the up-front hardware cost of the 3000 was on the high side for the scale of device we needed, we were attracted by the scope for growth and by the client licensing; we concluded that on a TCO basis, it was actually quite competitive. > As for authenticating the clients that terminate at a router or VPN, most > implementations that I have seen/done have been simply pre-shared keys with > either a local username and password at the PIX or router or a Tacacs > server. People choose this over certs and other authentication methods > because it is easy to deploy in a large-scale. Simply export/import the > client policy to a new machine, etc. Ease of deployment counts for a whole lot, especially when the person on the other end is of unknown/limited background -- and, in the case of an extranet, may not even be an employee of the same company. Again, we know how to make things more secure, but only by depressing usability beyond the current critical threshold. David Gillett Senior Network Engineer (650) 701-2702 Niku Corp. "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of BHaney Sent: Tuesday, February 13, 2001 9:06 AM To: VPN at SECURITYFOCUS.COM Subject: Re: IPsec and User Authentication As a consultant, I've set it up with a variety of different authentication policies. But usually people want something that is low administration and transparent. Most travelling sales people or the CEO who wants to VPN in from home don't want to deal with the problems associated with extensive authentication. Mainly, I've used Cisco based VPN technologies (router/PIX and 3000 concentrator). The best choice for authentication is the 3000 concentrator. You can have it authenticate directly to an NT database or tacacs server. Perfect. However, it can be very expensive. As for authenticating the clients that terminate at a router or VPN, most implementations that I have seen/done have been simply pre-shared keys with either a local username and password at the PIX or router or a Tacacs server. People choose this over certs and other authentication methods because it is easy to deploy in a large-scale. Simply export/import the client policy to a new machine, etc. I've worked with quite a few reputable companies and you would be surprised at how lax the security is simply because they don't want the hassle of synchronizing databases, etc. That's my experience. -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Tina Bird Sent: Tuesday, February 13, 2001 8:43 AM To: VPN at SECURITYFOCUS.COM Subject: IPsec and User Authentication Hi all -- I am in the middle of revising my VPN tutorial (the USENIX/SANS class), and in looking at the IPsec section a question has arisen. How many of you are using IPsec for remote access VPN -- that is, for replacing dial-ups for individual users, rather than site-to-site? If you are, what are you doing for user authentication? The book answers seem to be user-based digital certificates (if you've got some way to associate them with a user rather than a machine), one of the "hybrid" authentication mechanisms (XAUTH and its relatives), or some layering of IPsec with protocols like PPTP or L2TP (which include "traditional" user authentication support). But I'm curious to see what people who are really >doing< it are doing. Thanks for any info. For those who are curious, I will post results to the list -- and if you really want to get the gorey details, I'll be teaching the class at SANS in Baltimore in May. cheers -- tbird VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Wed Feb 14 15:12:04 2001 From: dgillett at NIKU.COM (David Gillett) Date: Wed, 14 Feb 2001 12:12:04 -0800 Subject: Can I setup a VPN this way? In-Reply-To: Message-ID: <002f01c096c2$667ddbc0$f30410ac@niku.com> > Can a VPN start at site A and terminate at site C? Each site has its own > network id! In theory, yes. In practice, the NetScreen boxes don't do this up to version 2.0x; I don't yet know if 2.5 succeeded in adding this capability. (It was on an early list of intended features for this release.) > By the way, can a VLAN (lay 3) also provide "security"? Somewhat, but VLANs aren't really designed to be a security tool, and so their trunking protocols *may* be subject to vulnerabilities. I'd think carefully about how important security is to your situation before relying on VLANs as the mechanism. David Gillett Senior Network Engineer (650) 701-2702 Niku Corp. "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Ivan Fox Sent: Tuesday, February 13, 2001 4:30 PM To: VPN at SECURITYFOCUS.COM Subject: Can I setup a VPN this way? There are 3 sites in serial, i.e., A -> B -> C. Each site has a Check Point VPN-1. They are connected using leased E1 lines. Can a VPN start at site A and terminate at site C? Each site has its own network id! Any comments are appreciated. By the way, can a VLAN (lay 3) also provide "security"? Any pointers/comments are welcome. Ivan VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From shope at ENERGIS-EIS.CO.UK Thu Feb 15 04:09:50 2001 From: shope at ENERGIS-EIS.CO.UK (Stephen Hope) Date: Thu, 15 Feb 2001 09:09:50 -0000 Subject: VPN history Message-ID: <01903665B361D211BF6700805FAD5D93D9E5F5@mail.datarange.co.uk> Rick, I suspect you arent going far enough back. X.25 has supported closed user groups since one of the early standards, and it was around before that - no idea when - i trashed all my standards docs for stuff like that a long time ago. All this was built around the idea of taking features on phone networks and building equivalent data systems, so the idea was probably already in use on voice nets before then.... Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Rick Smith at Secure Computing > [mailto:rick_smith at SECURECOMPUTING.COM] > Sent: 14 February 2001 14:58 > To: VPN at SECURITYFOCUS.COM > Subject: Re: VPN history > > > At 12:29 PM 2/13/01, you wrote: > >Hello there, > >I need some information about the history of VPN, and > >I was wonder do you can provide such to me. > > Okay, so what is a "VPN" for the purposes of this history? > Presumably it's > something more than point to point link encryption. > > If so, then the 'first' is probably the Private Line > Interfaces put on the > old ARPANET in the '70s. It ran ARPANET host traffic through > an NSA link > encryptor and then pasted the result into regular > host-to-host messages for > normal handling by the network. > > I suppose the 'next' thing was Blacker, and then SDNS, which > ultimately > begat IPSEC. Somewhere in there we have the independent > evolution of PC > things like PPTP. I'm not sure what the first commercial VPN > product was, > but it might have been HannaH, which was based on SDNS. > > For references and details, look at old NCSC and NISSC conference > proceedings. They've got papers on just about all of those > things. The IEEE > Oakland Security and Privacy conference may have a few things, too. > > Rick. > smith at securecomputing.com > > VPN is sponsored by SecurityFocus.COM > ----------------------------------------------------------------------------------------------------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Energis Integration Services. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. We have an anti-virus system installed on all our PC's and therefore any files leaving us via e-mail will have been checked for known viruses. Energis Integration Services accepts no responsibility once an e-mail and any attachments leave us. If you have received this email in error please notify Energis Integration Services Communications IT department on +44 (0) 1494 476222.. ----------------------------------------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.COM From Topi.Hautanen at F-SECURE.COM Thu Feb 15 09:12:39 2001 From: Topi.Hautanen at F-SECURE.COM (Topi Hautanen) Date: Thu, 15 Feb 2001 16:12:39 +0200 Subject: IPSec solutions for Solaris 2.7 or 2.8 References: Message-ID: <3A8BE3D7.B3012CA7@F-Secure.com> Hi Matthew, F-Secure VPN+ will support Solaris SPARC 2.6 and 7 with centralized management and highly interoperable IPSec/IKE. The release will come out in March/April but if you would like to have a beta version, don't hesitate to contact me. Best Regards, Topi Hautanen matthew patton wrote: > > I haven't been able to find a good answer to this yet. Solaris8 comes with > some ipsec features via ipsecconf(1) and ipseckey(1) but from what I can > gather all it supports is manual keying and potentially having to store > sensitive crypto keys on disk. > > Is there no built-in or 3rd party VPN solution for Solaris (sparc or > intel) that does full IKE/ISAKMP? ie. automatic phase1/phase2 keying like > FreeS/wan, Openbsd, and any of the dozen windows/mac based clients do? I > find it hard to believe that Sun could be this far behind the curve... > > -- > Network Security Technologies Inc. - Commercial support for OpenBSD > www.netsec.net (703) 561-0420 matthew.patton at netsec.net > > "Government is not reason; it is not eloquence; it is force! > Like fire, it is a dangerous servant and a fearful master." > - George Washington > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From mbulford at SILVERSTREAM.COM Thu Feb 15 10:05:40 2001 From: mbulford at SILVERSTREAM.COM (Martin Bulford) Date: Thu, 15 Feb 2001 15:05:40 -0000 Subject: Authentication Message-ID: <5116D9346898D4119FBE0008C7F7EBCA176C1D@SPECIALBREW> Hi, I am just beginning to experiment with VPN, I have managed to set-up a VPN server but am having problems with authentication when trying to connect, I have ports 47 and 1723 open on the firewall. Any help would be appreciated Thanks, M. VPN is sponsored by SecurityFocus.COM From nvakhari at GENX.NET Thu Feb 15 22:01:45 2001 From: nvakhari at GENX.NET (Nimesh Vakharia) Date: Thu, 15 Feb 2001 22:01:45 -0500 Subject: A doubt on IPSEC & NAT In-Reply-To: Message-ID: IPSec goes NUTS when it gets nat'ed but it has no problem accepting traffic thats already nat'ed. For the device its just IP traffic. eg NAT'ed Device -------- VPN Device ------- Internet Cloud-->>> This setup works fine. This is feasible but its difficult to work it into an already existing implementation. U'r probably going to have a change in design/addressing changes, worry about single points of failures etc. But hey it works. People start freaking out when they see NAT and need VPN because there are a ton of problems with it. But the order is very important and dosen't get mentioned! NAT then VPN works... I think the "ORDER" seriously needs to be stressed a lot more. Nimesh. On Tue, 13 Feb 2001, Robert G Palmer Jr wrote: > What exactly do you mean by "it's a lot better to do it the other way > around" - NAT through IPSEC? > > > on 2/13/01 11:13 AM, Joel M Snyder at Joel.Snyder at OPUS1.COM wrote: > > > The short answer is that NAT is an evil thing and while it is possible > > to get IPSEC going through NAT, it's a lot better to do it the other way > > around. > > ----------------------------- > Robert G. Palmer, Jr. > Product Engineer > robert.palmer at ipix.com > iPIX - The Leader in Dynamic Imaging > Phone: (865)-482-3000 > http://www.ipix.com > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From rick_smith at SECURECOMPUTING.COM Thu Feb 15 15:21:51 2001 From: rick_smith at SECURECOMPUTING.COM (Rick Smith at Secure Computing) Date: Thu, 15 Feb 2001 14:21:51 -0600 Subject: VPN history In-Reply-To: <01903665B361D211BF6700805FAD5D93D9E5F5@mail.datarange.co.u k> Message-ID: <4.3.2.7.0.20010215135741.00ac8990@posey.sctc.com> At 03:09 AM 2/15/01, you wrote: >Rick, > >I suspect you arent going far enough back. > >X.25 has supported closed user groups since one of the early standards, and >it was around before that - no idea when - i trashed all my standards docs >for stuff like that a long time ago. X.25 evolved after the ARPANET. I believe it grew out of Telenet's commercial digital network service, which was started by some ARPANET people, and was picked up by CCITT as the basis for the international standard. I remember early X.25 specs were sprinkled with notes about "Telenet" and "non-Telenet" features. I believe the PLIs and X.25 may have evolved around the same time. Also, my impression was that X.25 closed user groups represented more of a "real private network" as opposed to a "virtual private network," since they were enforced by the network carrier and not by the customers themselves. By the same token, point to point digital service doesn't really represent a 'virtual private network' because again the privacy was enforced by the service provider. Rick. smith at securecomputing.com VPN is sponsored by SecurityFocus.COM From Ole.Vik at CONNECT.NO Thu Feb 15 11:42:27 2001 From: Ole.Vik at CONNECT.NO (Ole Vik) Date: Thu, 15 Feb 2001 17:42:27 +0100 Subject: VPN history Message-ID: <917620097Ole.Vik@connect.no> The X.25 stuff is from the middle of 1970s. The X.25 spec is from 1974. I worked on an implementation in 1978. We should probably include IBM SNA in the history as well. Closed user groups is not a very new invention. In SNA IBM uses SDLC, X.25 uses HDLC (link layer protocol). As far as I remember, the main difference is the CRC-algorithm used. -- Ole Vik, Connect AS, Blakstadmarka 26, 1386 Asker, Norway. Telephone +47-66 90 23 00. Telefax +47-66 90 23 05. On 15. februar 2001 10:09, Stephen Hope wrote: >Rick, > >I suspect you arent going far enough back. > >X.25 has supported closed user groups since one of the early standards, and >it was around before that - no idea when - i trashed all my standards docs >for stuff like that a long time ago. > >All this was built around the idea of taking features on phone networks and >building equivalent data systems, so the idea was probably already in use on >voice nets before then.... > >Stephen > >Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, >Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk >Carrington Business Park, Carrington, Manchester , UK. M31 4ZU >Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 >4189 > > >> -----Original Message----- >> From: Rick Smith at Secure Computing >> [mailto:rick_smith at SECURECOMPUTING.COM] >> Sent: 14 February 2001 14:58 >> To: VPN at SECURITYFOCUS.COM >> Subject: Re: VPN history >> >> >> At 12:29 PM 2/13/01, you wrote: >> >Hello there, >> >I need some information about the history of VPN, and >> >I was wonder do you can provide such to me. >> >> Okay, so what is a "VPN" for the purposes of this history? >> Presumably it's >> something more than point to point link encryption. >> >> If so, then the 'first' is probably the Private Line >> Interfaces put on the >> old ARPANET in the '70s. It ran ARPANET host traffic through >> an NSA link >> encryptor and then pasted the result into regular >> host-to-host messages for >> normal handling by the network. >> >> I suppose the 'next' thing was Blacker, and then SDNS, which >> ultimately >> begat IPSEC. Somewhere in there we have the independent >> evolution of PC >> things like PPTP. I'm not sure what the first commercial VPN >> product was, >> but it might have been HannaH, which was based on SDNS. >> >> For references and details, look at old NCSC and NISSC conference >> proceedings. They've got papers on just about all of those >> things. The IEEE >> Oakland Security and Privacy conference may have a few things, too. >> >> Rick. >> smith at securecomputing.com >> >> VPN is sponsored by SecurityFocus.COM >> > >----------------------------------------------------------------------------------------------------------- > >This email is confidential and intended solely for the use of the individual to >whom it is addressed. Any views or opinions presented are solely those of the >author and do not necessarily represent those of Energis Integration Services. >If you are not the intended recipient, be advised that you have received this >email in error and that any use, dissemination, forwarding, printing, or copying >of this email is strictly prohibited. > >We have an anti-virus system installed on all our PC's and therefore any files >leaving us via e-mail will have been checked for known viruses. >Energis Integration Services accepts no responsibility once an e-mail >and any attachments leave us. > >If you have received this email in error please notify Energis >Integration Services Communications >IT department on +44 (0) 1494 476222.. >----------------------------------------------------------------------------------------------------------- > >VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From lists at FIPS.DE Thu Feb 15 13:08:25 2001 From: lists at FIPS.DE (Philipp Buehler) Date: Thu, 15 Feb 2001 19:08:25 +0100 Subject: Authentication In-Reply-To: <5116D9346898D4119FBE0008C7F7EBCA176C1D@SPECIALBREW>; "Martin Bulford" on 15.02.2001 @ 16:05:40 MET References: <5116D9346898D4119FBE0008C7F7EBCA176C1D@SPECIALBREW> Message-ID: <20010215190825.A16270@pohl.fips.de> On 15/02/2001, Martin Bulford wrote To VPN at SECURITYFOCUS.COM: > I am just beginning to experiment with VPN, I have managed to set-up a VPN > server but am having problems with authentication when trying to connect, I > have ports 47 and 1723 open on the firewall. It's *protocol* 47, not the port. ciao -- Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | #1: Break the clue barrier! #2: Already had buzzword confuseritis ? VPN is sponsored by SecurityFocus.COM From Patrick.Bryan at LN.SSW.ABBOTT.COM Fri Feb 16 15:30:50 2001 From: Patrick.Bryan at LN.SSW.ABBOTT.COM (Patrick Bryan) Date: Fri, 16 Feb 2001 14:30:50 -0600 Subject: PDA VPN Clients Message-ID: <0055600002727077000002L072*@MHS> Does anyone know if a PDA IPSEC compliant VPN client exists, and for which type of PDA? VPN is sponsored by SecurityFocus.COM From dale at GREP.NET Thu Feb 15 11:27:03 2001 From: dale at GREP.NET (Dale Handy) Date: Thu, 15 Feb 2001 09:27:03 -0700 Subject: Authentication In-Reply-To: <5116D9346898D4119FBE0008C7F7EBCA176C1D@SPECIALBREW> Message-ID: <4.2.0.58.20010215092524.00aca8b0@mail.grep.net> That should be TCP port 1723, and IP protocol #47 (GRE). I assume that you are trying to use Microsoft's PPTP. At 03:05 PM 2/15/2001 +0000, you wrote: >Hi, >I am just beginning to experiment with VPN, I have managed to set-up a VPN >server but am having problems with authentication when trying to connect, I >have ports 47 and 1723 open on the firewall. > >Any help would be appreciated >Thanks, >M. > >VPN is sponsored by SecurityFocus.COM --------- "A ship in harbor is safe, but that is not what ships are for." -- Dale L. Handy, P.E. GrepNet, Inc. dale at grep.net VPN is sponsored by SecurityFocus.COM From rick_bursey at ABICON.COM Thu Feb 15 14:00:13 2001 From: rick_bursey at ABICON.COM (Bursey, Rick) Date: Thu, 15 Feb 2001 15:30:13 -0330 Subject: VPN Information Message-ID: <852569F4.0068BA74.00@mailhost.abicon.com> Hi All, I'm a Network Administrator with Abitibi-Consolidated, Inc. in their Grand Falls, Newfoundland division. Abitibi-Consilidated, Inc. is a large multi-national paper manufacturer with many divisions (mostly in Canada and the United States) and sales offices located in many places world wide. http://www.abicon.com We are in the preliminary stages of testing and setting up a VPN for the corporation. As part of this process we are asking other people who may have setup VPN for their company about their experiences. I was wondering if you would be willing to answer a few questions for me? 1. What vendor did you use? 2. Why did you choose this vendor? 3. How many access points do you have? 4. What were your experiences? ie. problems, gotchas etc. 5. What would you differently if you had to do this project again? 6. Any other advice you may have? Once again, thanks for any information/advice that any of you may be willing to share. Also, this is my first post to this listserv, so please forgive me if I've done something wrong. -Rick. Rick Bursey Abiti-Consolidated, Inc. Grand Falls Division Grand Falls-Windsor, Newfoundland A2A 1K1 phone: 709 292-3243 fax 709 489-6119 VPN is sponsored by SecurityFocus.COM From franci.jereb at MIBO.SI Mon Feb 19 09:50:56 2001 From: franci.jereb at MIBO.SI (Franci Jereb) Date: Mon, 19 Feb 2001 15:50:56 +0100 Subject: No subject Message-ID: <3A9140E0.12113.160F3CC7@localhost> hi guys, i'm testing VPN conectivity between Contivity and Instant Internet, but unfortunatelly I don't have the latest firmware version 7.10 or 7.11. I would like to tested first if it works for my purpose. Then if it'll working I'll buy several boxes. Does anybody have this update CD pack to the latest 7.10 or 7.11. Thanks Best regards, Franci Jereb System engineer MIBO Komunikacije Phone: + 386 1 47 35 300 Fax: + 386 1 47 35 323 web: www.mibo.si VPN is sponsored by SecurityFocus.COM From Patrick.Bryan at LN.SSW.ABBOTT.COM Fri Feb 16 15:24:35 2001 From: Patrick.Bryan at LN.SSW.ABBOTT.COM (Patrick Bryan) Date: Fri, 16 Feb 2001 14:24:35 -0600 Subject: Cisco 3015 VPN Concentrators Message-ID: <0055600002726483000002L032*@MHS> Hi, I'm considering deploying a series of load balanced Cisco 3015 VPN Concentrators. Does anyone have any idea how much load a single concentrator can handle? According to Cisco, a single 3015 will support 100 connections with a 4MB/sec throughput. Any input would be appreciated. Patrick A. Bryan Sr. Systems Analyst Abbott Laboratories VPN is sponsored by SecurityFocus.COM From nvakhari at GENX.NET Tue Feb 20 13:25:41 2001 From: nvakhari at GENX.NET (Nimesh Vakharia) Date: Tue, 20 Feb 2001 13:25:41 -0500 Subject: PIX and VPNet In-Reply-To: Message-ID: Anyone out there with comments/experience with interoperating PIX and VPNet VSU's? Any gotcha's? Nimesh. On Thu, 15 Feb 2001, Nimesh Vakharia wrote: > IPSec goes NUTS when it gets nat'ed but it has no problem accepting > traffic thats already nat'ed. For the device its just IP traffic. > > eg > > NAT'ed Device -------- VPN Device ------- Internet Cloud-->>> > > This setup works fine. This is feasible but its difficult to work it into > an already existing implementation. U'r probably going to have a change in > design/addressing changes, worry about single points of failures etc. But > hey it works. > > People start freaking out when they see NAT and need VPN because there are > a ton of problems with it. But the order is very important and dosen't get > mentioned! NAT then VPN works... I think the "ORDER" seriously needs to be > stressed a lot more. > > Nimesh. > > On Tue, 13 Feb 2001, Robert G Palmer Jr wrote: > > > What exactly do you mean by "it's a lot better to do it the other way > > around" - NAT through IPSEC? > > > > > > on 2/13/01 11:13 AM, Joel M Snyder at Joel.Snyder at OPUS1.COM wrote: > > > > > The short answer is that NAT is an evil thing and while it is possible > > > to get IPSEC going through NAT, it's a lot better to do it the other way > > > around. > > > > ----------------------------- > > Robert G. Palmer, Jr. > > Product Engineer > > robert.palmer at ipix.com > > iPIX - The Leader in Dynamic Imaging > > Phone: (865)-482-3000 > > http://www.ipix.com > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From jgilbert at SAFENET-INC.COM Thu Feb 15 11:36:50 2001 From: jgilbert at SAFENET-INC.COM (Jane Gilbert) Date: Thu, 15 Feb 2001 11:36:50 -0500 Subject: VPN history Message-ID: <3E89A18A51CBD411BD1B0002A507C88B10D2B7@MAX> There were also End-to-End encryption products available for X.25 data networks as early as 1989. They allowed end users to dial asynchronously into local PADS (packet assemblers/disassemblers) and communicate securely with hosts sitting on an X.25 connection to a public X.25 network. Asen, if you'd like more information on these early VPNs, feel free to e-mail me. They're actually still in place today and still being deployed. And thanks for giving me the opportunity to date myself. : ) Jane Gilbert SafeNet, Inc. -----Original Message----- From: Rick Smith at Secure Computing [mailto:rick_smith at SECURECOMPUTING.COM] Sent: Wednesday, February 14, 2001 9:58 AM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN history At 12:29 PM 2/13/01, you wrote: >Hello there, >I need some information about the history of VPN, and >I was wonder do you can provide such to me. Okay, so what is a "VPN" for the purposes of this history? Presumably it's something more than point to point link encryption. If so, then the 'first' is probably the Private Line Interfaces put on the old ARPANET in the '70s. It ran ARPANET host traffic through an NSA link encryptor and then pasted the result into regular host-to-host messages for normal handling by the network. I suppose the 'next' thing was Blacker, and then SDNS, which ultimately begat IPSEC. Somewhere in there we have the independent evolution of PC things like PPTP. I'm not sure what the first commercial VPN product was, but it might have been HannaH, which was based on SDNS. For references and details, look at old NCSC and NISSC conference proceedings. They've got papers on just about all of those things. The IEEE Oakland Security and Privacy conference may have a few things, too. Rick. smith at securecomputing.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From rgm at ICSA.NET Tue Feb 20 14:14:46 2001 From: rgm at ICSA.NET (Robert Moskowitz) Date: Tue, 20 Feb 2001 14:14:46 -0500 Subject: VPN history In-Reply-To: <917620097Ole.Vik@connect.no> Message-ID: <5.0.0.25.2.20010220140718.028ec350@localhost> At 05:42 PM 2/15/2001 +0100, Ole Vik wrote: >The X.25 stuff is from the middle of 1970s. The X.25 spec is from 1974. I >worked on an implementation in 1978. We should probably include IBM SNA in >the history as well. Closed user groups is not a very new invention. In >SNA IBM uses SDLC, X.25 uses HDLC (link layer protocol). As far as I >remember, the main difference is the CRC-algorithm used. the issue here is what is virtual, what is private, and how do you define a network. I can argue very strongly, that using named groups to segment a group of users on a larger network is not virtual. Don't forget NetBios SCOPE which is still used today. However, running the network protocol over then network protocol DOES create a virutal network. IP-n-IP has been around for a while; it is the basis of the MBONE. I personally like to limit the use of VPN to the case where over some network a network is run. Another example is MCI's national frame relay network which originally was frame relay over IP (on Wellfleet routers). I also perfer to distinguish if the owner of the VPN controls membership, or some provider. Thus a Frame relay network made up of PVCs or the older X.25 equivalent is privated only to the extent that you trust your provider (and I personally know of cases where the provider was required to include government agencies in some of these supposedly 'private' networks). Robert Moskowitz Senior Technical Director ICSA Labs, a division of the TruSecure Corporation (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit VPN is sponsored by SecurityFocus.COM From jbaumgardner at PROACTUSA.COM Thu Feb 15 13:06:02 2001 From: jbaumgardner at PROACTUSA.COM (James Baumgardner) Date: Thu, 15 Feb 2001 10:06:02 -0800 Subject: VPN and routing Message-ID: <0D0434654D4CD411857A00508B9A74CE0EA906@MAIL> I have a proxy server on our internal network that allows access to the outside world. I also have setup a VPN box using Linux/FreeSwan. I want all traffic routed to the other private network to go thru the VPN box, so do I add this routing entry to the PROXY, or do I make it the default gateway? What is the ideal solution? VPN is sponsored by SecurityFocus.COM From bjaber at IPASS.COM Tue Feb 20 14:46:17 2001 From: bjaber at IPASS.COM (Basim Jaber) Date: Tue, 20 Feb 2001 11:46:17 -0800 Subject: Cisco 3015 VPN Concentrators Message-ID: <71038994C3C0D411AD0C009027723C2C44F885@mtvxfiles.corp.ipass.com> The Cisco VPN 3000 Series Concentrator Administrator Guide mentions nothing of "load balancing", but they do mention VRRP (Virtual Router Redundancy Protocol). VRRP will be beneficial when the primary switch goes down (i.e. backup), but I don't believe the latest version of Cisco's VPN 3000 (v2.5.2) covers load balancing. Someone correct me if I'm wrong, please. Basim S. Jaber Senior Systems Engineer VPN Services / Customer Implementation iPass Inc. >-----Original Message----- >From: Patrick Bryan [mailto:Patrick.Bryan at LN.SSW.ABBOTT.COM] >Sent: Friday, February 16, 2001 12:25 PM >To: VPN at SECURITYFOCUS.COM >Subject: Cisco 3015 VPN Concentrators > > >Hi, > >I'm considering deploying a series of load balanced Cisco 3015 VPN >Concentrators. Does anyone have any idea how much load a >single concentrator >can handle? According to Cisco, a single 3015 will support 100 >connections >with a 4MB/sec throughput. Any input would be appreciated. > > >Patrick A. Bryan >Sr. Systems Analyst >Abbott Laboratories > >VPN is sponsored by SecurityFocus.COM > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010220/a30b8e09/attachment.htm From tin at LE.ORG Tue Feb 20 14:36:28 2001 From: tin at LE.ORG (Tin Le) Date: Tue, 20 Feb 2001 11:36:28 -0800 Subject: PDA VPN Clients In-Reply-To: <0055600002727077000002L072*@MHS> Message-ID: Certicom just recently announced their movianVPN for Palm OS 3.5 and Win CE. Check out their web site at http://www.certicom.com I beta tested an early version for PalmOS connecting to a Cisco box. It works fine on my Vx. Tin Le ---- http://tin.le.org Tin Le - tin at le.org Firewall and Security Consulting On Fri, 16 Feb 2001, Patrick Bryan wrote: > Date: Fri, 16 Feb 2001 14:30:50 -0600 > From: Patrick Bryan > To: VPN at SECURITYFOCUS.COM > Subject: PDA VPN Clients > Does anyone know if a PDA IPSEC compliant VPN client exists, and for which > type of PDA? > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From rshamayev at VIRIDIEN.COM Thu Feb 15 16:34:09 2001 From: rshamayev at VIRIDIEN.COM (Ruslan Shamayev) Date: Thu, 15 Feb 2001 16:34:09 -0500 Subject: VPN history Message-ID: <230F696D671FD411A59F00508BC28D2568ACA1@swanmail.viridien.com> look into this site for an article: http://idm.internet.com/articles/199911/ft_11_16_99a.html -----Original Message----- From: Stephen Hope [mailto:shope at ENERGIS-EIS.CO.UK] Sent: Thursday, February 15, 2001 4:10 AM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN history Rick, I suspect you arent going far enough back. X.25 has supported closed user groups since one of the early standards, and it was around before that - no idea when - i trashed all my standards docs for stuff like that a long time ago. All this was built around the idea of taking features on phone networks and building equivalent data systems, so the idea was probably already in use on voice nets before then.... Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Rick Smith at Secure Computing > [mailto:rick_smith at SECURECOMPUTING.COM] > Sent: 14 February 2001 14:58 > To: VPN at SECURITYFOCUS.COM > Subject: Re: VPN history > > > At 12:29 PM 2/13/01, you wrote: > >Hello there, > >I need some information about the history of VPN, and > >I was wonder do you can provide such to me. > > Okay, so what is a "VPN" for the purposes of this history? > Presumably it's > something more than point to point link encryption. > > If so, then the 'first' is probably the Private Line > Interfaces put on the > old ARPANET in the '70s. It ran ARPANET host traffic through > an NSA link > encryptor and then pasted the result into regular > host-to-host messages for > normal handling by the network. > > I suppose the 'next' thing was Blacker, and then SDNS, which > ultimately > begat IPSEC. Somewhere in there we have the independent > evolution of PC > things like PPTP. I'm not sure what the first commercial VPN > product was, > but it might have been HannaH, which was based on SDNS. > > For references and details, look at old NCSC and NISSC conference > proceedings. They've got papers on just about all of those > things. The IEEE > Oakland Security and Privacy conference may have a few things, too. > > Rick. > smith at securecomputing.com > > VPN is sponsored by SecurityFocus.COM > ---------------------------------------------------------------------------- ------------------------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Energis Integration Services. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. We have an anti-virus system installed on all our PC's and therefore any files leaving us via e-mail will have been checked for known viruses. Energis Integration Services accepts no responsibility once an e-mail and any attachments leave us. If you have received this email in error please notify Energis Integration Services Communications IT department on +44 (0) 1494 476222.. ---------------------------------------------------------------------------- ------------------------------- VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Patrick.Bryan at LN.SSW.ABBOTT.COM Tue Feb 20 15:22:24 2001 From: Patrick.Bryan at LN.SSW.ABBOTT.COM (Patrick Bryan) Date: Tue, 20 Feb 2001 14:22:24 -0600 Subject: Cisco 3015 VPN Concentrators Message-ID: <0055600002955083000002L032*@MHS> I guess I should rephrase that.. I am thinking of using DNS to implement simple balancing... Patrick A. Bryan Sr. Systems Analyst Abbott Laboratories Dept. 0070 Building AP14B bjaber at ipass.com 02/20/01 01:48 PM To: VPN at SECURITYFOCUS.COM, Patrick A Bryan/LAKE/CHMS/ABBOTT at ABBOTT cc: Subject: RE: Cisco 3015 VPN Concentrators This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------------------------------------------------------------------------------ -- The Cisco VPN 3000 Series Concentrator Administrator Guide mentions nothing of "load balancing", but they do mention VRRP (Virtual Router Redundancy Protocol). VRRP will be beneficial when the primary switch goes down (i.e. backup), but I don't believe the latest version of Cisco's VPN 3000 (v2.5.2) covers load balancing. Someone correct me if I'm wrong, please. Basim S. Jaber Senior Systems Engineer VPN Services / Customer Implementation iPass Inc. >-----Original Message----- >From: Patrick Bryan [mailto:Patrick.Bryan at LN.SSW.ABBOTT.COM] >Sent: Friday, February 16, 2001 12:25 PM >To: VPN at SECURITYFOCUS.COM >Subject: Cisco 3015 VPN Concentrators > > >Hi, > >I'm considering deploying a series of load balanced Cisco 3015 VPN >Concentrators. Does anyone have any idea how much load a >single concentrator >can handle? According to Cisco, a single 3015 will support 100 >connections >with a 4MB/sec throughput. Any input would be appreciated. > > >Patrick A. Bryan >Sr. Systems Analyst >Abbott Laboratories > >VPN is sponsored by SecurityFocus.COM > -------------- next part -------------- A non-text attachment was scrubbed... Name: FILE0001.HTM Type: application/octet-stream Size: 2281 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20010220/e8b4c145/attachment.obj From Hugo at MICMAC.COM.BR Tue Feb 20 15:47:49 2001 From: Hugo at MICMAC.COM.BR (Hugo Caye) Date: Tue, 20 Feb 2001 17:47:49 -0300 Subject: W2K VPN Basic Questions Message-ID: Where can i find a tutorial for setting up using Windows 2000 with IPSec? ==>> Look at these: "Step-by-Step Guide to Internet Protocol Security (IPSec)" "IPSec Implementation" "IPSec Architecture" Shoud i pay for Microsoft for using this feature? ==>> I hope not... Which Windows 2000 Server version support IPSec VPN? ==>> VPN Server: Any Win2K that with RRAS (Win2K Srvr and up). Can windows NT and windows 95/98 be IPsec clients for Windows 2000? ==>> IFAIK, Win2K Pro and up. Win9x just PPTP. sorry for these dummies questions. Is there any FAQ? ==>> Hth, Hugo Caye O__ ---- c/ /'_ --- (*) \(*) -- ~~~~~~~~ ccna ccda mcne? cip mcse cne5 []s RRodrigues VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From bjaber at IPASS.COM Tue Feb 20 15:49:49 2001 From: bjaber at IPASS.COM (Basim Jaber) Date: Tue, 20 Feb 2001 12:49:49 -0800 Subject: W2K VPN Basic Questions Message-ID: <71038994C3C0D411AD0C009027723C2C44F88C@mtvxfiles.corp.ipass.com> Ramiro, >Where can i find a tutorial for setting up using Windows 2000 with IPSec? A good start would be one of the Microsoft Windowds 2000 Server Administration publications. I have one from Microsoft Press which is fairly thorough on how to do this. >Shoud i pay for Microsoft for using this feature? You shouldn't have to pay for anything else than the Windows 2000 Server and Client licensing. All the features are included with the licensing. >Which Windows 2000 Server version support IPSec VPN? Windows 2000 Server Windows 2000 Advanced Server Windows 2000 Datacenter Server and when WinXP comes out, it will also include WinXP Server, Advanced Server, and 64-bit Server. >Can windows NT and windows 95/98 be IPsec clients for Windows 2000? To the best of my knowledge, no. I think it will only work with Windows 2000 clients (i.e. Windows 2000 Professional). >sorry for these dummies questions. It's OK, we all have to start swimming somewhere in this sea of madness. :-) Basim S. Jaber Senior Systems Engineer VPN Services / Customer Implementation iPass Inc. 650-333-7619 (mobile) mailto:4088959514 at airmessage.net (text ePage) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010220/2d6e93c3/attachment.htm From bjaber at IPASS.COM Tue Feb 20 14:06:49 2001 From: bjaber at IPASS.COM (Basim Jaber) Date: Tue, 20 Feb 2001 11:06:49 -0800 Subject: PDA VPN Clients Message-ID: <71038994C3C0D411AD0C009027723C2C44F883@mtvxfiles.corp.ipass.com> Certicom is the only company which I know which has one. They have a VPN client for PalmOS and WinCE/PocketPC. http://www.certicom.com Basim S. Jaber Senior Systems Engineer VPN Services / Customer Implementation iPass Inc. http://www.ipass.com >-----Original Message----- >From: Patrick Bryan [mailto:Patrick.Bryan at LN.SSW.ABBOTT.COM] >Sent: Friday, February 16, 2001 12:31 PM >To: VPN at SECURITYFOCUS.COM >Subject: PDA VPN Clients > > >Does anyone know if a PDA IPSEC compliant VPN client exists, >and for which >type of PDA? > >VPN is sponsored by SecurityFocus.COM > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010220/62dc2ddf/attachment.htm From rrodrigues at DNS-DIVEO.NET.BR Fri Feb 16 13:32:18 2001 From: rrodrigues at DNS-DIVEO.NET.BR (Ramiro Rodrigues) Date: Fri, 16 Feb 2001 15:32:18 -0300 Subject: W2K VPN Basic Questions References: <5116D9346898D4119FBE0008C7F7EBCA176C1D@SPECIALBREW> Message-ID: <000a01c09846$cb141ec0$4bb3d7c8@rrodrigues> Where can i find a tutorial for setting up using Windows 2000 with IPSec? Shoud i pay for Microsoft for using this feature? Which Windows 2000 Server version support IPSec VPN? Can windows NT and windows 95/98 be IPsec clients for Windows 2000? sorry for these dummies questions. Is there any FAQ? []s RRodrigues VPN is sponsored by SecurityFocus.COM From MuniX-1 at PACBELL.NET Fri Feb 16 00:03:23 2001 From: MuniX-1 at PACBELL.NET (Jose Muniz) Date: Thu, 15 Feb 2001 21:03:23 -0800 Subject: Can I setup a VPN this way? References: <002f01c096c2$667ddbc0$f30410ac@niku.com> Message-ID: <3A8CB49B.613AA111@pacbell.net> David Gillett wrote: > > > Can a VPN start at site A and terminate at site C? Each site has its own > > network id! > > In theory, yes. In practice, the NetScreen boxes don't do this up to > version 2.0x; I don't yet know if 2.5 succeeded in adding this capability. > (It was on an early list of intended features for this release.) > I have tested the 2.5 code and yes it suports it and it it works nicely. > > By the way, can a VLAN (lay 3) also provide "security"? > > Somewhat, but VLANs aren't really designed to be a security tool, and so > their trunking protocols *may* be subject to vulnerabilities. I'd think > carefully about how important security is to your situation before relying > on VLANs as the mechanism. >From a layer 3 perspective the only vulnerability that I can find is if you use a routing switch or a switching router and assign an IP to routed interfaces then you can bypass a firewall-s. usualy a pilot error. It is imposible to format a L3 packet that when its hop count X [rather counting ttl--]=n then it will transform itself in to a L2 taged frame, quite complicated rather imposible. Jose Muniz Lead Network Engineer Loudcloud, Inc. > David Gillett > Senior Network Engineer > (650) 701-2702 > Niku Corp. "Transforming the Service Economy" > > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Ivan > Fox > Sent: Tuesday, February 13, 2001 4:30 PM > To: VPN at SECURITYFOCUS.COM > Subject: Can I setup a VPN this way? > > There are 3 sites in serial, i.e., A -> B -> C. Each site has a Check Point > VPN-1. They are connected using leased E1 lines. > > Can a VPN start at site A and terminate at site C? Each site has its own > network id! > > Any comments are appreciated. > > By the way, can a VLAN (lay 3) also provide "security"? > > Any pointers/comments are welcome. > > Ivan > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From married at ZIPLIP.COM Mon Feb 19 02:12:28 2001 From: married at ZIPLIP.COM (married) Date: Mon, 19 Feb 2001 00:12:28 -0700 Subject: A doubt on IPSEC & NAT Message-ID: <20010219071228.9675B24C414@lists.securityfocus.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20010219/c6f49f21/attachment.txt From doug at BCS.ORG.UK Fri Feb 16 21:18:56 2001 From: doug at BCS.ORG.UK (Douglas Fraser) Date: Sat, 17 Feb 2001 02:18:56 -0000 Subject: Authentication References: <5116D9346898D4119FBE0008C7F7EBCA176C1D@SPECIALBREW> Message-ID: <17cc01c09887$fb05eb90$010aa8c0@enigma.intranet> > have ports 47 and 1723 open on the firewall. Problem might be unrelated, but if it is PPTP then it should be ip protocol 47 (gre) that you should be letting though not tcp/udp port 47. Port 1723 would still need open. Douglas Fraser VPN is sponsored by SecurityFocus.COM From rbunzli at CSC.COM Mon Feb 19 10:31:17 2001 From: rbunzli at CSC.COM (Bunzli, Robert) Date: Mon, 19 Feb 2001 07:31:17 -0800 Subject: IPsec and User Authentication Message-ID: Hi all, just catching up on email after being gone for several days... We are using 2 IPSEC implementations for individual user remote access: SecureID with our Cisco 3000 (Altiga). RSA radius and SecureID with Nortel Contivity, these boxes require radius with SecureID. Bob Bunzli CSC ---------------------- Forwarded by Robert E Bunzli/GIS/CSC on 02/19/2001 07:17 AM --------------------------- Tina Bird @SECURITYFOCUS.COM> on 02/13/2001 07:43:08 AM Please respond to Tina Bird Sent by: VPN Mailing List From Michael.Washington at FITCHRATINGS.COM Tue Feb 20 14:37:03 2001 From: Michael.Washington at FITCHRATINGS.COM (Washington, Michael) Date: Tue, 20 Feb 2001 13:37:03 -0600 Subject: Authentication Message-ID: I have had problems recently in attempts to bring up the same scenario on Checkpoint 4.1. Dale Handy cc: (bcc: Michael Washington/it/CHI/F-I) Subject: Re: Authentication 02/15/2001 10:27 AM Please respond to Dale Handy That should be TCP port 1723, and IP protocol #47 (GRE). I assume that you are trying to use Microsoft's PPTP. At 03:05 PM 2/15/2001 +0000, you wrote: >Hi, >I am just beginning to experiment with VPN, I have managed to set-up a VPN >server but am having problems with authentication when trying to connect, I >have ports 47 and 1723 open on the firewall. > >Any help would be appreciated >Thanks, >M. > >VPN is sponsored by SecurityFocus.COM --------- "A ship in harbor is safe, but that is not what ships are for." -- Dale L. Handy, P.E. GrepNet, Inc. dale at grep.net VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From rgm at ICSA.NET Tue Feb 20 14:15:58 2001 From: rgm at ICSA.NET (Robert Moskowitz) Date: Tue, 20 Feb 2001 14:15:58 -0500 Subject: PDA VPN Clients In-Reply-To: <0055600002727077000002L072*@MHS> Message-ID: <5.0.0.25.2.20010220141456.03322270@localhost> At 02:30 PM 2/16/2001 -0600, Patrick Bryan wrote: >Does anyone know if a PDA IPSEC compliant VPN client exists, and for which >type of PDA? there is one out for the Palm. It uses aggresive mode. Robert Moskowitz Senior Technical Director ICSA Labs, a division of the TruSecure Corporation (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit VPN is sponsored by SecurityFocus.COM From sandy at STORM.CA Tue Feb 20 17:33:04 2001 From: sandy at STORM.CA (Sandy Harris) Date: Tue, 20 Feb 2001 17:33:04 -0500 Subject: VPN Information References: <852569F4.0068BA74.00@mailhost.abicon.com> Message-ID: <3A92F0A0.B922E5E@storm.ca> "Bursey, Rick" wrote: > I'm a Network Administrator ... > > We are in the preliminary stages of testing and setting up a VPN for the > corporation. As part of this process we are asking other people who may have > setup VPN for their company about their experiences. There's a paper that describes AT&T Research's experience implementing an IPSEC VPN using Linux FreeS/WAN (www.freeswan.org). I don't have a URL to go direct to the paper, but you can get it by searching for "Moat" on Steve Bellovin's publications page: http://www.research.att.com/~smb/papers/index.html VPN is sponsored by SecurityFocus.COM From Nathan.Reeves at HALLIBURTON.COM Tue Feb 20 22:02:34 2001 From: Nathan.Reeves at HALLIBURTON.COM (Nathan Reeves) Date: Tue, 20 Feb 2001 21:02:34 -0600 Subject: Problems with NT4 opening VPN connection to W2K Server. Message-ID: I'm facing a wierd problem that hopefully someone else may have seen and have an answer for. I have remote Server running NT4 with RRAS which is opening a VPN connection across the Internet to a Windows 2000 server. Previous to this we were running NT4 at both ends but now run 2000 at one end. Everything works fine if I initiate the VPN connection from the Windows 2000 server (eg Highlight the Interface in RRAS and select Connect). I can see the remote machine, ping the machine etc fine. If I initiate the connection from the NT4 server, the connection is made, but I cannot get IP routing to occur. If I try and ping each server from the opposite server, I just get a timed out message. I can see that data is being passed over the VPN as the data counters are increasing, but no routing occurs. I've seen this on two NT servers now, reproducible time and time again. Anyone seen anything like this before?? Thanks in advance. Nathan Reeves VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Wed Feb 21 08:57:43 2001 From: jonc at HAHT.COM (Jon Carnes) Date: Wed, 21 Feb 2001 08:57:43 -0500 Subject: Problems with NT4 opening VPN connection to W2K Server. References: Message-ID: <002d01c09c0e$43815b00$0b04010a@JCARNES> Have you done all the standard items... I would start by checking the routes. Do a "route print" both before and after the VPN connection. Also, make sure you are pinging the "inside" addresses, and that you have return routes setup on each box - so that the ping makes it to the other side, and then makes it back. I'm sure you know what you are doing since you had it working before. If you are running Proxy Server on the Win2k box, open it up so that it doesn't interfere with your tests. There are some interesting tweaks you can make to Win2k to help the connection, but most I've heard and done are just to get the darn thing to connect. If worse comes to worse, run a Linux or BSD box with PopTop! Good Luck - Jon Carnes ----- Original Message ----- From: "Nathan Reeves" To: Sent: Tuesday, February 20, 2001 10:02 PM Subject: Problems with NT4 opening VPN connection to W2K Server. > I'm facing a wierd problem that hopefully someone else may have seen and > have an answer for. > > I have remote Server running NT4 with RRAS which is opening a VPN connection > across the Internet to a Windows 2000 server. Previous to this we were > running NT4 at both ends but now run 2000 at one end. > > Everything works fine if I initiate the VPN connection from the Windows 2000 > server (eg Highlight the Interface in RRAS and select Connect). I can see > the remote machine, ping the machine etc fine. If I initiate the > connection from the NT4 server, the connection is made, but I cannot get IP > routing to occur. If I try and ping each server from the opposite server, > I just get a timed out message. I can see that data is being passed over > the VPN as the data counters are increasing, but no routing occurs. > > I've seen this on two NT servers now, reproducible time and time again. > > Anyone seen anything like this before?? > > Thanks in advance. > > Nathan Reeves > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From rick_smith at SECURECOMPUTING.COM Wed Feb 21 13:46:40 2001 From: rick_smith at SECURECOMPUTING.COM (Rick Smith at Secure Computing) Date: Wed, 21 Feb 2001 12:46:40 -0600 Subject: VPN history - Reword Message-ID: <4.3.2.7.0.20010221124353.00ad0d80@posey.sctc.com> I said: >I think some posters have already noted the essential difference between >X.25 permanent virtual circuits (not 'virtual private circuits') and VPNs: >the security is the responsibility of the network customers and not the >network provider. The customer must install the equipment and configure the >network membership. The same is true for X.25 closed user groups. Oops. I meant to say that X.25 closed user groups are, in that sense, the same as permanent virtual circuits: they're both controlled by the network service provider, not the end user. >There's a >profound difference between end to end security managed by the customer and >security features embedded in and enforced by the network service provider. Rick. smith at securecomputing.com VPN is sponsored by SecurityFocus.COM From millerdan at TCE.COM Wed Feb 21 12:59:15 2001 From: millerdan at TCE.COM (Miller Dan (Sarcom)) Date: Wed, 21 Feb 2001 12:59:15 -0500 Subject: Cisco VPN Message-ID: Where can I get configuration, setup and customization info on the Cisco VPN Client. Also, where can I get a copy of it to look at? Dan Miller Remote Access Engineer Americas Remote Connectivity Sarcom/Thomson multimedia Inc 317-587-5669 office 317-817-8121 fax 317-408-0054 cell VPN is sponsored by SecurityFocus.COM From mikef at POCKETLINT.COM Wed Feb 21 16:27:42 2001 From: mikef at POCKETLINT.COM (Mike Forrester) Date: Wed, 21 Feb 2001 14:27:42 -0700 Subject: A doubt on IPSEC & NAT References: <20010219071228.9675B24C414@lists.securityfocus.com> Message-ID: <009c01c09c4d$23ba9860$390c0a0a@Paperweight> Actually, according to RFC 1918 it should be 172.16.0.0/12 (or 172.16/12) which is the range from 172.16.0.0 to 172.31.255.255 (not 172.31.0.0). http://www.cis.ohio-state.edu/htbin/rfc/rfc1918.html ----- Original Message ----- From: "married" To: Sent: Monday, February 19, 2001 12:12 AM Subject: Re: A doubt on IPSEC & NAT > I think there are a couple of Cisco guys on this list. > The private address range for class B is 172.16.0.0 to > 172.31.0.0 and not only 172.16.0.0/24 as the page states. Probably just a typo :-) > > > > -----Original Message----- > > From: Hugo Caye [mailto:Hugo at MICMAC.COM.BR] > > Sent: Wednesday, February 14, 2001, 11:41 PM > > To: VPN at SECURITYFOCUS.COM > > Subject: Re: A doubt on IPSEC & NAT > > > > There is an interesting article titled "The Trouble with NAT" (by Lisa > > Phifer) at: > > . > > > > Interesting because it give us a NAT's overview and explains why IPSec > > and NAT shouldn't (and some times can) work. > > > > -----Original Message----- > > From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM] > > Sent: ter?a-feira, 13 de fevereiro de 2001 13:51 > > To: VPN at SECURITYFOCUS.COM > > Subject: Re: A doubt on IPSEC & NAT > > > > > > NAT causes another problem with IKE, as some unfortunately > > souls trying to use VPN clients behind a firewall have > > discovered. > > > > If you're behind a machine doing address translation that > > also modifies the source port of your IKE packet, it won't > > be recognized by the IKE server. For some reason that I've > > never understood, IKE expects source and destination port to > > be UDP 500, not just destination port like most of the other > > services out there. So even if you managed to disable all > > the mechanisms which check for header consistency in the > > IPsec communications, you'd still be in trouble. > > > > I agree with Joel -- NAT is evil, but man! given the large > > number of places I'm stuck using it, it would be nice to have > > a little more flexibility in the IPsec protocols. > > > > cheers -- tbird > > > > On Tue, 13 Feb 2001, Joel M Snyder wrote: > > > > > Date: Tue, 13 Feb 2001 09:13:33 -0700 > > > From: Joel M Snyder > > > To: VPN at SECURITYFOCUS.COM > > > Subject: Re: A doubt on IPSEC & NAT > > > > > > > > > > > In addition, NAT may interfere with IPSec (both ESP and AH) if it > > prevents > > > > the two VPN gateways from successfully negotiating SAs using > > ISAKMP/IKE with > > > > certificates. X.509 certificates are signed by a trusted third > > party (called > > > > a Certificate Authority) in order to bind a user's or device's > > public key to > > > > some other identifying public characteristic. Once common > > identifying > > > > characteristic used for VPN gateway devices is external IP > > address. > > > > > > The problem is worse than that. There are about 10 different ways > > in > > > which the X.509 identity can be presented in the IKE authentication > > > payload. IP address is one, but FQDNs are another, and if you > > bother to > > > check FQDNs (many vendors don't), then the identity can still fail. > > > Even if you use DN (type 9), which is fairly common among IPSEC > > vendors, > > > you may run afoul of subfields. > > > > > > And this assumes you want to use certs and not something simple, > > like > > > PSS. > > > > > > But NAT breaks things yet another way: assuming you are able to get > > > Phase 1 up with IKE, you still have to negotiate Quick Mode. What > > IP > > > address is going to go into the identification payloads for the QM > > SA? > > > Each side has a different view of what the two IP addresses (or, > > more > > > typically, IP address and set of IP address ranges and subnets on > > the > > > gateway side) are to be protected with ESP. If those fail > > consistency > > > checks or simply don't match, the QM SA might be established, but > > useless. > > > > > > The short answer is that NAT is an evil thing and while it is > > possible > > > to get IPSEC going through NAT, it's a lot better to do it the other > > way around. > > > > > > jms > > > > > > VPN is sponsored by SecurityFocus.COM > > > > > > > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > > life: http://kubarb.phsx.ukans.edu/~tbird > > work: http://www.counterpane.com > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM > > > > > > > * Get free, secure online email at http://www.ziplip.com/ * > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From bjaber at IPASS.COM Wed Feb 21 15:34:50 2001 From: bjaber at IPASS.COM (Basim Jaber) Date: Wed, 21 Feb 2001 12:34:50 -0800 Subject: Cisco VPN Message-ID: <71038994C3C0D411AD0C009027723C2C44F8BE@mtvxfiles.corp.ipass.com> Which Cisco VPN client are referring to? VPN 3000, VPN 5000, CiscoSecure SafeNET (a.k.a. IRE)? Assuming the Cisco VPN 3000 client (which is the latest), the documentation on setup and customization/preconfiguration is on the distribution CD-ROM which accompanied the VPN 3000 Series Concentrator (as well as the client software itself). Basim S. Jaber Senior Systems Engineer VPN Services / Customer Implementation iPass Inc. >-----Original Message----- >From: Miller Dan (Sarcom) [mailto:millerdan at TCE.COM] >Sent: Wednesday, February 21, 2001 9:59 AM >To: VPN at SECURITYFOCUS.COM >Subject: Cisco VPN > > >Where can I get configuration, setup and customization info on >the Cisco VPN >Client. Also, where can I get a copy of it to look at? >Dan Miller >Remote Access Engineer >Americas Remote Connectivity >Sarcom/Thomson multimedia Inc >317-587-5669 office >317-817-8121 fax >317-408-0054 cell > >VPN is sponsored by SecurityFocus.COM > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010221/066f86b3/attachment.htm From dana at INTERPRISE.COM Wed Feb 21 17:37:33 2001 From: dana at INTERPRISE.COM (Dana J. Dawson) Date: Wed, 21 Feb 2001 16:37:33 -0600 Subject: Cisco VPN References: Message-ID: <3A94432D.467FBA90@interprise.com> "Miller Dan (Sarcom)" wrote: > > Where can I get configuration, setup and customization info on the Cisco VPN > Client. Also, where can I get a copy of it to look at? > Dan Miller > Remote Access Engineer > Americas Remote Connectivity > Sarcom/Thomson multimedia Inc > 317-587-5669 office > 317-817-8121 fax > 317-408-0054 cell > > VPN is sponsored by SecurityFocus.COM Cisco actually has three VPN clients, but if you start at the following URL you should be able to easily find documentation for all of them. http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm Dana -- Dana J. Dawson dana at interprise.com Distinguished Principal Engineer CCIE #1937 Qwest Communications International, Inc. (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.COM From dana at INTERPRISE.COM Wed Feb 21 17:32:45 2001 From: dana at INTERPRISE.COM (Dana J. Dawson) Date: Wed, 21 Feb 2001 16:32:45 -0600 Subject: VPN and routing References: <0D0434654D4CD411857A00508B9A74CE0EA906@MAIL> Message-ID: <3A94420D.B4C7DF1C@interprise.com> James Baumgardner wrote: > > I have a proxy server on our internal network that allows access to the > outside world. I also have setup a VPN box using Linux/FreeSwan. I want > all traffic routed to the other private network to go thru the VPN box, so > do I add this routing entry to the PROXY, or do I make it the default > gateway? What is the ideal solution? > > VPN is sponsored by SecurityFocus.COM The ideal solution depends on your network topology, but in general you want internal routes to the remote private network(s) to point at the VPN device. This can be a bit of a bother if you have a single LAN, since your desktop systems probably only have a single default gateway configured and it probably points at the proxy server. If you point that default gateway at your proxy server, then it'll have to redirect any VPN traffic back out on the LAN to the VPN box. If the proxy server is the only path to the outside world, then the VPN box will have to put the encrypted traffic back on the LAN so it can get to the outside. An alternative would be to add routes to your desktop systems that need to use the VPN so they'll send traffic to the appropriate box depending on the destination. The default gateway would still point at the proxy server, and you'd have a new route (or routes) for the remote network(s) that point at the VPN box. If you have a local router between your users and the VPN and proxy servers, then you only need to add routes to it, so that's a little easier. If you don't depend on any transparent proxy features of your proxy server (i.e. all your applications that access the Internet are manually configured with your proxy server's private address), then you may be able to get by with just pointing the default gateway in your workstations at the VPN box. Good luck - I hope this helps. Dana -- Dana J. Dawson dana at interprise.com Distinguished Principal Engineer CCIE #1937 Qwest Communications International, Inc. (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.COM From lphifer at FAST.NET Wed Feb 21 17:11:56 2001 From: lphifer at FAST.NET (Lisa Phifer) Date: Wed, 21 Feb 2001 17:11:56 -0500 Subject: A doubt on IPSEC & NAT In-Reply-To: <009c01c09c4d$23ba9860$390c0a0a@Paperweight> References: <20010219071228.9675B24C414@lists.securityfocus.com> Message-ID: <4.2.0.58.20010221170701.00bc4920@mail2.netreach.net> Yes, I'm afraid it's my typo - the range should indeed be 172.16.0.0 to 172.31.255.255 Lisa At 02:27 PM 2/21/2001 -0700, Mike Forrester wrote: >Actually, according to RFC 1918 it should be 172.16.0.0/12 (or 172.16/12) >which is the range from 172.16.0.0 to 172.31.255.255 (not 172.31.0.0). > >http://www.cis.ohio-state.edu/htbin/rfc/rfc1918.html > >----- Original Message ----- >From: "married" >To: >Sent: Monday, February 19, 2001 12:12 AM >Subject: Re: A doubt on IPSEC & NAT > > > > I think there are a couple of Cisco guys on this list. > > The private address range for class B is 172.16.0.0 to > > 172.31.0.0 and not only 172.16.0.0/24 as the page states. Probably just a >typo :-) > > > > > > > -----Original Message----- > > > From: Hugo Caye [mailto:Hugo at MICMAC.COM.BR] > > > Sent: Wednesday, February 14, 2001, 11:41 PM > > > To: VPN at SECURITYFOCUS.COM > > > Subject: Re: A doubt on IPSEC & NAT > > > > > > There is an interesting article titled "The Trouble with NAT" (by Lisa > > > Phifer) at: > > > . > > > > > > Interesting because it give us a NAT's overview and explains why IPSec > > > and NAT shouldn't (and some times can) work. VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Wed Feb 21 18:18:46 2001 From: dgillett at NIKU.COM (David Gillett) Date: Wed, 21 Feb 2001 15:18:46 -0800 Subject: VPN and routing In-Reply-To: <0D0434654D4CD411857A00508B9A74CE0EA906@MAIL> Message-ID: <010001c09c5c$a48a8680$f30410ac@niku.com> Whether this applies to you or not will depend on your situation, but in our case the RSM on our core switch doesn't need to do much, so we've made it a kind of "master router" for the site. Client machines all point to it as their default gateway, and then it (alone) knows about the various outbound gateways to different networks. In your case, you have two gateways, one of which handles the other private network and the other of which (the proxy) handles "everything else". You probably already have your clients' default gateway pointing to the proxy, so the *obvious* approach is going to be to a route on it specifying that traffic to the remote private network should be sent to the VPN box. Unfortunately, the PROXY may not allow you to do that (and get the results you want); I'm pretty sure, for instance, that MS Proxy 2.0 would not. [You'd need "IP Forwarding" enabled for it to act as a router, and MS Proxy requires you *disable* that.) There's a chance that FreeSwan introduces a similar limitation on the Linux box -- I'm not sufficiently familiar with that product to say. So you may be ready for a "master router" approach after all. David Gillett Senior Network Engineer (650) 701-2702 Niku Corp. "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of James Baumgardner Sent: Thursday, February 15, 2001 10:06 AM To: VPN at SECURITYFOCUS.COM Subject: VPN and routing I have a proxy server on our internal network that allows access to the outside world. I also have setup a VPN box using Linux/FreeSwan. I want all traffic routed to the other private network to go thru the VPN box, so do I add this routing entry to the PROXY, or do I make it the default gateway? What is the ideal solution? VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Wed Feb 21 21:41:32 2001 From: dgillett at NIKU.COM (David Gillett) Date: Wed, 21 Feb 2001 18:41:32 -0800 Subject: VPN Information In-Reply-To: <852569F4.0068BA74.00@mailhost.abicon.com> Message-ID: <011001c09c78$f7b8dcf0$f30410ac@niku.com> The answers I'd give to these questions depend on whether we're talking about VPN as a WAN technology (VPN between sites instead of Frame/ATM/dedicated links) or as a remote user technology (VPN from ISP dialup/DSL/cable-modem back to main office). It's possible to use the same vendor for both, of course, but we didn't, and the issues involved tend to be different as well. David Gillett Senior Network Engineer (650) 701-2702 Niku Corp. "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Bursey, Rick Sent: Thursday, February 15, 2001 11:00 AM To: VPN at SECURITYFOCUS.COM Subject: VPN Information Hi All, I'm a Network Administrator with Abitibi-Consolidated, Inc. in their Grand Falls, Newfoundland division. Abitibi-Consilidated, Inc. is a large multi-national paper manufacturer with many divisions (mostly in Canada and the United States) and sales offices located in many places world wide. http://www.abicon.com We are in the preliminary stages of testing and setting up a VPN for the corporation. As part of this process we are asking other people who may have setup VPN for their company about their experiences. I was wondering if you would be willing to answer a few questions for me? 1. What vendor did you use? 2. Why did you choose this vendor? 3. How many access points do you have? 4. What were your experiences? ie. problems, gotchas etc. 5. What would you differently if you had to do this project again? 6. Any other advice you may have? Once again, thanks for any information/advice that any of you may be willing to share. Also, this is my first post to this listserv, so please forgive me if I've done something wrong. -Rick. Rick Bursey Abiti-Consolidated, Inc. Grand Falls Division Grand Falls-Windsor, Newfoundland A2A 1K1 phone: 709 292-3243 fax 709 489-6119 VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From married at ZIPLIP.COM Thu Feb 22 04:49:49 2001 From: married at ZIPLIP.COM (married) Date: Thu, 22 Feb 2001 02:49:49 -0700 Subject: Fwd: Re: Re: A doubt on IPSEC & NAT Message-ID: <20010222094949.E7F3024C58D@lists.securityfocus.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20010222/58aa7465/attachment.txt From Debashis.Ghosh at GEASN.GE.COM Thu Feb 22 04:02:31 2001 From: Debashis.Ghosh at GEASN.GE.COM (Ghosh, Debashis (CORP, CIM)) Date: Thu, 22 Feb 2001 17:02:31 +0800 Subject: Nortel Contivity 4500 : is there a centralised mgmt solution? Message-ID: <9D80D576D84CD411914B00508BCF749601C4BC4B@sin01xbasnge.geasn.ge.com> Hi everyone, We are in the process of setting up 7 VPN gateways using Nortel Contivity 4500s.... we will use IPSEC.... these gateways will be for both remote access and site to site VPN. I am looking for some centralised management solution like Checkpoint which will let me manage these boxes from a single console. Any suggestions? I want to be able to define a set of policies on one box and then dump those policeies on other boxes using the management console. Any help will be greatly appreciated. Regards and Thanks, Debashis g_________________ Debashis Ghosh VPN Product Manager - ASPAC, GE Corporate Information Management GE Towers #07-00 240 Tanjong Pagar Road, TeL:65 3263240 ; DC: 533 3240 VPN is sponsored by SecurityFocus.COM From ole at CISCO.COM Thu Feb 22 10:52:55 2001 From: ole at CISCO.COM (Ole J. Jacobsen) Date: Thu, 22 Feb 2001 07:52:55 -0800 Subject: A doubt on IPSEC & NAT In-Reply-To: <4.2.0.58.20010221170701.00bc4920@mail2.netreach.net> Message-ID: Indeed a typo and it is intersting how many (or how few) people read it that carefully. We will printg a correcting in the next issue. Ole Ole J. Jacobsen Editor and Publisher The Internet Protocol Journal Office of the CTO, Cisco Systems Tel: +1 408-527-8972 GSM: +1 415-370-4628 E-mail: ole at cisco.com URL: http://www.cisco.com/ipj On Wed, 21 Feb 2001, Lisa Phifer wrote: > Yes, I'm afraid it's my typo - the range should indeed be > 172.16.0.0 to 172.31.255.255 > > Lisa > > > At 02:27 PM 2/21/2001 -0700, Mike Forrester wrote: > >Actually, according to RFC 1918 it should be 172.16.0.0/12 (or 172.16/12) > >which is the range from 172.16.0.0 to 172.31.255.255 (not 172.31.0.0). > > > >http://www.cis.ohio-state.edu/htbin/rfc/rfc1918.html > > > >----- Original Message ----- > >From: "married" > >To: > >Sent: Monday, February 19, 2001 12:12 AM > >Subject: Re: A doubt on IPSEC & NAT > > > > > > > I think there are a couple of Cisco guys on this list. > > > The private address range for class B is 172.16.0.0 to > > > 172.31.0.0 and not only 172.16.0.0/24 as the page states. Probably just a > >typo :-) > > > > > > > > > > -----Original Message----- > > > > From: Hugo Caye [mailto:Hugo at MICMAC.COM.BR] > > > > Sent: Wednesday, February 14, 2001, 11:41 PM > > > > To: VPN at SECURITYFOCUS.COM > > > > Subject: Re: A doubt on IPSEC & NAT > > > > > > > > There is an interesting article titled "The Trouble with NAT" (by Lisa > > > > Phifer) at: > > > > . > > > > > > > > Interesting because it give us a NAT's overview and explains why IPSec > > > > and NAT shouldn't (and some times can) work. > > VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Thu Feb 22 15:45:06 2001 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Thu, 22 Feb 2001 14:45:06 -0600 Subject: [PEN-TEST] VPN Detector (fwd) Message-ID: Thought this might be of interest to the list. VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com ---------- Forwarded message ---------- Date: Thu, 22 Feb 2001 15:05:00 -0500 From: Chris Winter Reply-To: Penetration Testers To: PEN-TEST at SECURITYFOCUS.COM Subject: Re: [PEN-TEST] VPN Detector > How do you recognize VPN devices? Ivan, One way to do this is to use a newer version of NMAP that supports the -sO IP protocol scanning switch (>= 2.54 if memory serves.) This sends raw IP packets to a host, with the Type of Service bit changed with each successive packet. If a protocol is not present on a host, then an ICMP Protocol Unreachable message is sent back (type 3.2.) This can of course be defeated by a firewall/packetfilter, that blocks ICMP (specifically type 3.2.) However if this is not blocked (if the VPN device is in the DMZ or an unprotected net, and the up stream router is not blocking ICMP), then finding hosts that have Protocol 47 (GRE, used to tunnel), and/or protocol 50 (IPSEC-ESP), and/or protocol 51 (IPSEC-AH) is a pretty good indication that some kind of IPSEC/Tunneling/VPN foolery is going on. just remember that if ICMP is being blocked you will get false positives, showing all the different IP protocols as open. HTH, Chris ------------------------------------------------------------------- Chris Winter Consultant Security Practice cwinter at mentortech.com Cell: 410 258-4817 Mentor Technologies-- innovators of vLab(r) technology, provides: ** high-end internetworking, skills-based learning services and solutions. ** high-end internetworking design, management, and security consulting. We're high tech, high touch, high performance; the total internetworking solutions company. Visit us at www.mentortech.com VPN is sponsored by SecurityFocus.COM From carlsonmail at YAHOO.COM Thu Feb 22 16:51:39 2001 From: carlsonmail at YAHOO.COM (Chris Carlson) Date: Thu, 22 Feb 2001 13:51:39 -0800 Subject: Nortel Contivity 4500 : is there a centralised mgmt solution? In-Reply-To: <9D80D576D84CD411914B00508BCF749601C4BC4B@sin01xbasnge.geasn.ge.com> Message-ID: <20010222215139.6528.qmail@web2304.mail.yahoo.com> Debashis, To clarify, there are three areas of management where you can centralize: 1) System level (IPs, backup servers, interfaces, etc.) - Nortel has a software package called "Optivity VPN Manager" that will take care of this, but only system level, and not LDAP configs. I think it needs to run on Oracle 8, but not sure. http://www.nortelnetworks.com/products/01/unifiedmanagement/device/opt_vpn.html 2) LDAP groups (groups, filters, RADIUS server configs, etc.) - I recommend a centralized, off-the-box LDAP server implementation, so all boxes can look to this server (and slave for redunancy). Nortel works with a few, but they've most of their testing on the Netscape LDAP product. If you do this, then ALL boxes will have the same LDAP configuration. You can get fancy with RADIUS attributes pushed down to put users into specific groups, IP address pools, etc. Since the Optivity VPN Manager doesn't do LDAP groups, you still need to web into one of the Contivities and modify the LDAP config through the Contivity web GUI. 3) User management (userids, passwords, auth type, etc.) - This depends on how you do it. I've recommended RADIUS, and select a good RADIUS server that can proxy off to NT, SecurID/ACE, etc. This way, your help desk or regional IT staff would only need access to the RADIUS server to manage users, and not compromise the security of the devices themselves. This solution is about a year old now, but I think it's still valid. Good luck! Chris -- --- "Ghosh, Debashis (CORP, CIM)" wrote: > Hi everyone, > We are in the process of setting up 7 VPN gateways > using Nortel Contivity > 4500s.... we will use IPSEC.... these gateways will > be for both remote > access and site to site VPN. > > I am looking for some centralised management > solution like Checkpoint which > will let me manage these boxes from a single > console. Any suggestions? I > want to be able to define a set of policies on one > box and then dump those > policeies on other boxes using the management > console. Any help will be > greatly appreciated. > > Regards and Thanks, > Debashis > g_________________ > Debashis Ghosh > VPN Product Manager - ASPAC, > GE Corporate Information Management > GE Towers #07-00 > 240 Tanjong Pagar Road, > TeL:65 3263240 ; DC: 533 3240 > > VPN is sponsored by SecurityFocus.COM __________________________________________________ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/ VPN is sponsored by SecurityFocus.COM From jrdepriest at FTB.COM Thu Feb 22 16:38:59 2001 From: jrdepriest at FTB.COM (DePriest, Jason R.) Date: Thu, 22 Feb 2001 15:38:59 -0600 Subject: VPN Information Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We are stuck in a similar situation. My department is evaluating a couple of different VPN solutions. We have recently realized that there is no "magic bullet" solution. We have the potential to need three different products: one for remote home users, one for business to business, and one for remote travelling users. What products do you use and why did you choose them over the other available solutions? Thank you! Jason R DePriest, GCFW Network and Systems Administrator First Tennessee National Corporation InterActive Services Department ph: 901/523-5777, fax: 901/523-5537 email: jrdepriest at ftb.com Disclaimer: The views expressed in this message, while not necessarily the views of First Tennessee, are non-the-less confidential and not to be freely distributed to external sources without explicit permission from the sender of this message or from First Tennessee National Corporation. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOpWHwQM/Ws9rwlG9EQJfDACggkVRu4IPuQn2dCrZo3BR+sVgH88AoJAR myJTM7PlkmESFQOs2WCuuOi7 =YwvU -----END PGP SIGNATURE----- -----Original Message----- From: David Gillett [mailto:dgillett at niku.com] Sent: Wednesday, February 21, 2001 8:42 PM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN Information The answers I'd give to these questions depend on whether we're talking about VPN as a WAN technology (VPN between sites instead of Frame/ATM/dedicated links) or as a remote user technology (VPN from ISP dialup/DSL/cable-modem back to main office). It's possible to use the same vendor for both, of course, but we didn't, and the issues involved tend to be different as well. David Gillett Senior Network Engineer (650) 701-2702 Niku Corp. "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Bursey, Rick Sent: Thursday, February 15, 2001 11:00 AM To: VPN at SECURITYFOCUS.COM Subject: VPN Information Hi All, I'm a Network Administrator with Abitibi-Consolidated, Inc. in their Grand Falls, Newfoundland division. Abitibi-Consilidated, Inc. is a large multi-national paper manufacturer with many divisions (mostly in Canada and the United States) and sales offices located in many places world wide. http://www.abicon.com We are in the preliminary stages of testing and setting up a VPN for the corporation. As part of this process we are asking other people who may have setup VPN for their company about their experiences. I was wondering if you would be willing to answer a few questions for me? 1. What vendor did you use? 2. Why did you choose this vendor? 3. How many access points do you have? 4. What were your experiences? ie. problems, gotchas etc. 5. What would you differently if you had to do this project again? 6. Any other advice you may have? Once again, thanks for any information/advice that any of you may be willing to share. Also, this is my first post to this listserv, so please forgive me if I've done something wrong. -Rick. Rick Bursey Abiti-Consolidated, Inc. Grand Falls Division Grand Falls-Windsor, Newfoundland A2A 1K1 phone: 709 292-3243 fax 709 489-6119 VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From lajos.koppanyi at KANISA.COM Thu Feb 22 11:45:24 2001 From: lajos.koppanyi at KANISA.COM (Koppanyi, Lajos) Date: Thu, 22 Feb 2001 08:45:24 -0800 Subject: Nortel Contivity 1510 or Nokia C2500? Message-ID: <6987D2458480F042AD8ACA9D40F002665FBE83@exchange.kanisa.com> Hi All, I am testing different VPN boxes. So far I tested RedCreek ravlin 10, Cisco 3000, Nortel Contivity 1510. I like Contivity 1510 the most because of it good reputation, multi platform client software, easy management. However, what I don't like about it is the lack of redundancy and load balance. Redundancy is important to me. Nokia C2500 offers all of these, good load balancing and redundancy. The only thing I don't like about is that it does not offer client on some Windows platform and Mac. Please let me know what you think about these two boxes. Thanks, LK VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Thu Feb 22 17:47:37 2001 From: dgillett at NIKU.COM (David Gillett) Date: Thu, 22 Feb 2001 14:47:37 -0800 Subject: VPN Information In-Reply-To: Message-ID: <011e01c09d21$749c0f00$f30410ac@niku.com> We're using NetScreen firewalls at each of our sites, and relying on their capabilities for point-to-point VPN connection. Until their latest release, they haven't been able to route traffic from one tunnel directly into another, so this required a fully-meshed set of tunnels -- potentially 210 to link our 15 sites! (In fact, some of the outlying locations rarely connect to each other, and so not all 210 are defined....) A second issue concerns tunnelling from inside site A to inside site B and then crossing the firewall from inside to DMZ; that may also be implemented in the latest release although perhaps its harder to do. The third issue -- one that doesn't just apply to NetScreen and which no device vendor can likely fix -- is that while the Internet is usually drawn as an undifferentiated cloud, in fact different carriers peer with each other to varying extents and in varying locations. A recurring nightmare involves sites served by different carriers A and B who have no direct peering point. Often, traffic from A to B will be carried on C while traffic from B to A flows over D. So we now have four carriers in the mix, two of whom don't have us as customers, so we have zero influence/leverage with them. So when the gateway between B and D becomes overloaded and starts to drop packets, our "secure" connection rapidly degrades below usability. B points its finger at D and shrugs. A few carriers will offer an SLA (Service Level Agreement) *IF* all of the sites involved are carried by them. We've been migrating our sites to UUNet for this reason; you have to determine if their premium pricing is worth it for your case. I'm not sure what characteristics would lead you to deploy different solutions for home and travelling remote users. We're using the Cisco VPN 3000 for both, and in fact for our most recent business-to-business "extranet" link as well. (I think there's actually a PIX on the other end of that connection.) We actually selected this solution while it was Altiga, based on four primary criteria: 1. Initial PPTP support with the option to move up to IPSEC. In practice, limitations of the PPTP support and ease of IPSEC had us move up right from the outset. 2. Initial NT domain authentication with the option to move up to SecurID authentication. We've had two minor "scares" -- less than full-fledged incidents -- which would have been avoided if we had deployed SecurID, but we haven't yet managed to work it into the budget. 3. Most of the products we looked at would have required us to expend major effort and hassle to manage/track the client licenses issued to our remote users all over the globe. So far, we haven't had to do that, and we're hoping Cisco recognizes and preserves that advantage! 4. Competitive pricing across a wide range of performance. Although growth has slowed somewhat, we were deploying into an enterprise that was doubling in headcount every 3-4 months. We were willing to pay a bit more for the box (about the same after client licenses, see item 3!) for the knowledge that if our remote user base exploded, we could keep pace for a good long time by installing SEPs as warranted. David Gillett Senior Network Engineer (650) 701-2702 Niku Corp. "Transforming the Service Economy" -----Original Message----- From: DePriest, Jason R. [mailto:jrdepriest at ftb.com] Sent: Thursday, February 22, 2001 1:39 PM To: 'dgillett at niku.com'; VPN at SECURITYFOCUS.COM Subject: RE: VPN Information -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We are stuck in a similar situation. My department is evaluating a couple of different VPN solutions. We have recently realized that there is no "magic bullet" solution. We have the potential to need three different products: one for remote home users, one for business to business, and one for remote travelling users. What products do you use and why did you choose them over the other available solutions? Thank you! Jason R DePriest, GCFW Network and Systems Administrator First Tennessee National Corporation InterActive Services Department ph: 901/523-5777, fax: 901/523-5537 email: jrdepriest at ftb.com Disclaimer: The views expressed in this message, while not necessarily the views of First Tennessee, are non-the-less confidential and not to be freely distributed to external sources without explicit permission from the sender of this message or from First Tennessee National Corporation. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOpWHwQM/Ws9rwlG9EQJfDACggkVRu4IPuQn2dCrZo3BR+sVgH88AoJAR myJTM7PlkmESFQOs2WCuuOi7 =YwvU -----END PGP SIGNATURE----- -----Original Message----- From: David Gillett [mailto:dgillett at niku.com] Sent: Wednesday, February 21, 2001 8:42 PM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN Information The answers I'd give to these questions depend on whether we're talking about VPN as a WAN technology (VPN between sites instead of Frame/ATM/dedicated links) or as a remote user technology (VPN from ISP dialup/DSL/cable-modem back to main office). It's possible to use the same vendor for both, of course, but we didn't, and the issues involved tend to be different as well. David Gillett Senior Network Engineer (650) 701-2702 Niku Corp. "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Bursey, Rick Sent: Thursday, February 15, 2001 11:00 AM To: VPN at SECURITYFOCUS.COM Subject: VPN Information Hi All, I'm a Network Administrator with Abitibi-Consolidated, Inc. in their Grand Falls, Newfoundland division. Abitibi-Consilidated, Inc. is a large multi-national paper manufacturer with many divisions (mostly in Canada and the United States) and sales offices located in many places world wide. http://www.abicon.com We are in the preliminary stages of testing and setting up a VPN for the corporation. As part of this process we are asking other people who may have setup VPN for their company about their experiences. I was wondering if you would be willing to answer a few questions for me? 1. What vendor did you use? 2. Why did you choose this vendor? 3. How many access points do you have? 4. What were your experiences? ie. problems, gotchas etc. 5. What would you differently if you had to do this project again? 6. Any other advice you may have? Once again, thanks for any information/advice that any of you may be willing to share. Also, this is my first post to this listserv, so please forgive me if I've done something wrong. -Rick. Rick Bursey Abiti-Consolidated, Inc. Grand Falls Division Grand Falls-Windsor, Newfoundland A2A 1K1 phone: 709 292-3243 fax 709 489-6119 VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From bjaber at IPASS.COM Thu Feb 22 17:34:15 2001 From: bjaber at IPASS.COM (Basim Jaber) Date: Thu, 22 Feb 2001 14:34:15 -0800 Subject: Nortel Contivity 1510 or Nokia C2500? Message-ID: <71038994C3C0D411AD0C009027723C2C44F8FA@mtvxfiles.corp.ipass.com> Lajos, The Contivity 1510 indeed supports both load balancing and redundancy. You can configure up to three Contivity switches in a load-balanced configuration where they will all share CPU utilization statistics and balance incoming requests. As for redundancy, you can configure failover/backup switches. The failover configuration is wriiten to each client as they log on to the switch. That way when the switch goes down, the client will know and automatically try the backup switch(es). I've never worked with the Nokia box so I cannot comment about that. Basim S. Jaber Senior Systems Engineer VPN Services / Customer Implementation iPass Inc. >-----Original Message----- >From: Koppanyi, Lajos [mailto:lajos.koppanyi at KANISA.COM] >Sent: Thursday, February 22, 2001 8:45 AM >To: VPN at SECURITYFOCUS.COM >Subject: Nortel Contivity 1510 or Nokia C2500? > > >Hi All, > >I am testing different VPN boxes. So far I tested RedCreek >ravlin 10, Cisco >3000, Nortel Contivity 1510. >I like Contivity 1510 the most because of it good reputation, >multi platform >client software, easy management. >However, what I don't like about it is the lack of redundancy and load >balance. >Redundancy is important to me. >Nokia C2500 offers all of these, good load balancing and >redundancy. The >only thing I don't like about is that it does not offer client on some >Windows platform and Mac. > >Please let me know what you think about these two boxes. > >Thanks, > >LK > >VPN is sponsored by SecurityFocus.COM > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010222/fcc5e6a0/attachment.htm From PWolf at MC.CC.MD.US Fri Feb 23 09:06:11 2001 From: PWolf at MC.CC.MD.US (Wolf, Paul) Date: Fri, 23 Feb 2001 09:06:11 -0500 Subject: Recommendations for VPN authentication Message-ID: Hi, as I am new at the VPN game, I would like to get some recommendations on the type of server and software needed for authentication. Which is better RADIUS or a LDAP solution. What hardware is needed, processor, memory, OS etc. Any help is greatly appreciated. Paul Wolf PS Anybody currently implementing or planning to implement a hardware based VPN solution from VPNet? VPN is sponsored by SecurityFocus.COM From raoul at PAVER.COM Fri Feb 23 16:04:06 2001 From: raoul at PAVER.COM (Paver, Raoul) Date: Fri, 23 Feb 2001 15:04:06 -0600 Subject: NT vpn setup Message-ID: <3984FAB635AFD31199C00050040528220DE40C@SERVER2> I have a problem connecting via VPN to our office from home. We had VPN working in the past, but we moved our office, reloaded the server's OS (NT 4.0), and changed DSL providers. Even after setting up PPTP & RAS according to Microsoft's instructions, I have not been able to stay connected. Here are my steps: >From Windows ME 1. Connect to ISP. 2. Start VPN connection a. Displays "verifying user name and password" b. Displays "Logging onto Network" c. Displays "Disconnecting" - Details info states "Disconnected from the computer you dialed" On PPTP Server (NT 4.0 SP6) System Log, in event viewer, shows Remote Access has authenticated my user name on port VPN1. Security Log, in event viewer, shows audit log success for security logon for my user. I have tried using a different client (NT 4.0 workstation), but I still cannot stay connected. Thanks for any help!! VPN is sponsored by SecurityFocus.COM From guy.raymakers at EDS.COM Fri Feb 23 04:06:45 2001 From: guy.raymakers at EDS.COM (Raymakers, Guy) Date: Fri, 23 Feb 2001 09:06:45 -0000 Subject: Nortel Contivity 1510 or Nokia C2500? Message-ID: The Nokia CC2500 v3 is offering the client on all Windows platform but as far as I know no MAC. -----Original Message----- From: Koppanyi, Lajos [mailto:lajos.koppanyi at KANISA.COM] Sent: Thursday, February 22, 2001 17:45 To: VPN at SECURITYFOCUS.COM Subject: Nortel Contivity 1510 or Nokia C2500? Hi All, I am testing different VPN boxes. So far I tested RedCreek ravlin 10, Cisco 3000, Nortel Contivity 1510. I like Contivity 1510 the most because of it good reputation, multi platform client software, easy management. However, what I don't like about it is the lack of redundancy and load balance. Redundancy is important to me. Nokia C2500 offers all of these, good load balancing and redundancy. The only thing I don't like about is that it does not offer client on some Windows platform and Mac. Please let me know what you think about these two boxes. Thanks, LK VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Joel.Snyder at OPUS1.COM Thu Feb 22 19:00:22 2001 From: Joel.Snyder at OPUS1.COM (Joel M Snyder) Date: Thu, 22 Feb 2001 17:00:22 -0700 Subject: Nortel Contivity 1510 or Nokia C2500? References: <6987D2458480F042AD8ACA9D40F002665FBE83@exchange.kanisa.com> Message-ID: <3A95A814.68802D8F@opus1.com> The Nokia CC2500 does offer Windows NT/95/98/2000 support. It also has centralized management, which makes it very different from the Nortel box (which is element managed). The 3.1 version of the CC2500 supports Mac clients as well. I like the idea of a box that doesn't take multiple minutes to boot and forever to paint screens. Nokia also supports CRACK for secure authentication, which pushes it out front in terms of absolute security model. jms "Koppanyi, Lajos" wrote: > > Hi All, > > I am testing different VPN boxes. So far I tested RedCreek ravlin 10, Cisco > 3000, Nortel Contivity 1510. > I like Contivity 1510 the most because of it good reputation, multi platform > client software, easy management. > However, what I don't like about it is the lack of redundancy and load > balance. > Redundancy is important to me. > Nokia C2500 offers all of these, good load balancing and redundancy. The > only thing I don't like about is that it does not offer client on some > Windows platform and Mac. > > Please let me know what you think about these two boxes. > > Thanks, > > LK > > VPN is sponsored by SecurityFocus.COM -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One This was written from my laptop, so it is highly unlikely that I am in the office. Send email if you want to talk. VPN is sponsored by SecurityFocus.COM From bjaber at IPASS.COM Fri Feb 23 19:04:09 2001 From: bjaber at IPASS.COM (Basim Jaber) Date: Fri, 23 Feb 2001 16:04:09 -0800 Subject: NT vpn setup Message-ID: <71038994C3C0D411AD0C009027723C2C44F937@mtvxfiles.corp.ipass.com> You need to upgrade the WinME Dial-Up Networking to add the 128-bit support. Go to http://windowsupdate.microsoft.com and download/install the "128-bit Encryption Support for Dial-Up Networking". The authentication occurrs but the data encryption level is being rejected by the server. Basim S. Jaber Senior Systems Engineer VPN Services / Customer Implementation iPass Inc. >-----Original Message----- >From: Paver, Raoul [mailto:raoul at PAVER.COM] >Sent: Friday, February 23, 2001 1:04 PM >To: VPN at SECURITYFOCUS.COM >Subject: NT vpn setup > > >I have a problem connecting via VPN to our office from home. >We had VPN >working in the past, but we moved our office, reloaded the >server's OS (NT >4.0), and changed DSL providers. Even after setting up PPTP & >RAS according >to Microsoft's instructions, I have not been able to stay >connected. Here >are my steps: > >From Windows ME >1. Connect to ISP. >2. Start VPN connection > a. Displays "verifying user name and password" > b. Displays "Logging onto Network" > c. Displays "Disconnecting" - Details info states "Disconnected >from the computer you dialed" > >On PPTP Server (NT 4.0 SP6) >System Log, in event viewer, shows Remote Access has >authenticated my user >name on port VPN1. >Security Log, in event viewer, shows audit log success for >security logon >for my user. > >I have tried using a different client (NT 4.0 workstation), but I still >cannot stay connected. > > >Thanks for any help!! > >VPN is sponsored by SecurityFocus.COM > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010223/5489a4dd/attachment.htm From pbryan at ACRUX.NET Sat Feb 24 11:33:34 2001 From: pbryan at ACRUX.NET (Patrick Bryan) Date: Sat, 24 Feb 2001 10:33:34 -0600 Subject: Recommendations for VPN authentication In-Reply-To: Message-ID: I would recommend coupling Radius with LDAP as a solution. Use Radius for accounting needs and LDAP for authentication. -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Wolf, Paul Sent: Friday, February 23, 2001 8:06 AM To: VPN at SECURITYFOCUS.COM Subject: Recommendations for VPN authentication Hi, as I am new at the VPN game, I would like to get some recommendations on the type of server and software needed for authentication. Which is better RADIUS or a LDAP solution. What hardware is needed, processor, memory, OS etc. Any help is greatly appreciated. Paul Wolf PS Anybody currently implementing or planning to implement a hardware based VPN solution from VPNet? VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From rit at JACKED-IN.ORG Sun Feb 25 16:00:40 2001 From: rit at JACKED-IN.ORG (Brendan W. McAdams) Date: Sun, 25 Feb 2001 16:00:40 -0500 Subject: ISAKMPD/IPsec Issue: Seeking Resolution Message-ID: <002901c09f6e$03429cd0$0600000a@themunicenter.com> Hey, hoping someone can help me out. I'm having an issue with ISAKMPD in trying to setup a VPN Between my home network and work. Firewalls on both ends are OpenBSD 2.8, rolled back to generic kernel to be sure it isn't a kernel compile issue that i'm having. [note, i've removed Internet IPs to protect my network(s)] 10.0.0.0/24 is my home internal network, 192.168.1.0/24 is my work net. Once I setup the ISAKMPD session between both boxes, 'netstat -rn' on my local box (athene) shows: Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.1/24 0 10.0.0/24 0 0 [Carp Internet IP]/50/require/in 10.0.0/24 0 192.168.1/24 0 0 [Carp Internet IP]/50/require/out Which, as far as I can tell is exactly what it is supposed to be. On Carp however (work firewall), I get the following from a 'netstat -rn': Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 10.0.0/24 0 192.168.1/24 0 0 [Athene Internet IP]/50/require/in [Athene Internet IP]/32 0 [Carp Internet IP]/32 0 0 [Athene Internet IP]/50/require/in [Athene Internet IP]/32 0 192.168.1/24 0 0 [Athene Internet IP]/50/require/in 192.168.1/24 0 10.0.0/24 0 0 [Athene Internet IP]/50/require/out Obviously there is an issue here; What are those two extra routes with Athene's Internet IP Doing in there? I've gone over my config multiple times and can find no explanation. ISAKMPD.CONF on Athene: [General] Retransmits = 5 Exchange-max-time = 120 Listen-on = [Athene Internet IP] [Phase 1] [Carp Internet IP] = Carp [Phase 2] Connections = Athene-Carp [Carp] Phase = 1 Transport = udp Local-address = [Athene Internet IP] Address = [Carp Internet IP] Configuration = Default-main-mode Authentication = gjepmx [Athene-Carp] Phase = 2 ISAKMP-peer = Carp Configuration = Default-quick-mode Local-ID = Net_Home Remote-ID = Net_Work [Net_Work] ID-type = IPV4_ADDR_SUBNET Network = 192.168.1.0 Netmask = 255.255.255.0 [Net_Home] ID-type = IPV4_ADDR_SUBNET Network = 10.0.0.0 Netmask = 255.255.255.0 [Default-main-mode] DOI = IPSEC EXCHANGE_TYPE = ID_PROT Transforms = 3DES-SHA [Default-quick-mode] DOI = IPSEC EXCHANGE_TYPE = QUICK_MODE Suites = QM-ESP-3DES-SHA-PFS-SUITE ISAKMPD.CONF on Carp: [General] Retransmits = 5 Exchange-max-time = 120 Listen-on = [Carp Internet IP] [Phase 1] [Athene Internet IP] = Athene [Phase 2] Connections = Carp-Athene [Athene] Phase = 1 Transport = udp Local-address = [Carp Internet IP] Address = [Athene Internet IP] Configuration = Default-main-mode Authentication = gjepmx [Carp-Athene] Phase = 2 ISAKMP-peer = Athene Configuration = Default-quick-mode Local-ID = Net_Work Remote-ID = Net_Home [Net_Work] ID-type = IPV4_ADDR_SUBNET Network = 192.168.1.0 Netmask = 255.255.255.0 [Net_Home] ID-type = IPV4_ADDR_SUBNET Network = 10.0.0.0 Netmask = 255.255.255.0 [Default-main-mode] DOI = IPSEC EXCHANGE_TYPE = ID_PROT Transforms = 3DES-SHA [Default-quick-mode] DOI = IPSEC EXCHANGE_TYPE = QUICK_MODE Suites = QM-ESP-3DES-SHA-PFS-SUITE Everything looks ok to me. I could use some help *ASAP* In getting this setup properly. Thanks, Brendan W. McAdams VPN is sponsored by SecurityFocus.COM From cameronschuler at HOTMAIL.COM Mon Feb 26 15:06:29 2001 From: cameronschuler at HOTMAIL.COM (Cameron Schuler) Date: Mon, 26 Feb 2001 13:06:29 -0700 Subject: "CRACK" Message-ID: Does anyone know of a good resource for CRACK vs CA? Thank you, Cameron _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. VPN is sponsored by SecurityFocus.COM From lists at FIPS.DE Mon Feb 26 21:09:04 2001 From: lists at FIPS.DE (Philipp Buehler) Date: Tue, 27 Feb 2001 03:09:04 +0100 Subject: ISAKMPD/IPsec Issue: Seeking Resolution In-Reply-To: <002901c09f6e$03429cd0$0600000a@themunicenter.com>; "Brendan W. McAdams" on 25.02.2001 @ 22:00:40 MET References: <002901c09f6e$03429cd0$0600000a@themunicenter.com> Message-ID: <20010227030904.A10246@pohl.fips.de> On 27/02/2001, Brendan W. McAdams wrote To VPN at SECURITYFOCUS.COM: > ISAKMPD.CONF on Athene: > [Carp] > Local-address = [Athene Internet IP] Eh? > Everything looks ok to me. Not the line about local-address. > I could use some help *ASAP* In getting this setup properly. /usr/share/ipsec/isakmp/VPN-east.conf .. So. since the routes are set up, the crpyto config could be stated ok. At least you could look into debug log [-DA] for it. Also 'route -n show' shows more understandable results than a pure netstat. ciao -- Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | #1: Break the clue barrier! #2: Already had buzzword confuseritis ? VPN is sponsored by SecurityFocus.COM From lists at FIPS.DE Tue Feb 27 13:11:24 2001 From: lists at FIPS.DE (Philipp Buehler) Date: Tue, 27 Feb 2001 19:11:24 +0100 Subject: ISAKMPD/IPsec Issue: Seeking Resolution In-Reply-To: ; "Brendan W. McAdams" on 27.02.2001 @ 15:25:20 MET References: <20010227030904.A10246@pohl.fips.de> Message-ID: <20010227191124.A13556@pohl.fips.de> On 27/02/2001, Brendan W. McAdams wrote Cc VPN at SECURITYFOCUS.COM: > All ips have been replaced with [Machine ] in that i'm not > interested in publishing addresses of my firewalls to the world at large > =) yes, of course (btw, a 1.1.1.1 would be better readable than [...]) I mean, [Carp] should not have the Local-Address of Athene > > On 27/02/2001, Brendan W. McAdams wrote To VPN at SECURITYFOCUS.COM: > > > ISAKMPD.CONF on Athene: > > > [Carp] > > > Local-address = [Athene Internet IP] > > Eh? > > ciao -- Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | #1: Break the clue barrier! #2: Already had buzzword confuseritis ? VPN is sponsored by SecurityFocus.COM From brendan at JACKED-IN.ORG Tue Feb 27 09:25:20 2001 From: brendan at JACKED-IN.ORG (Brendan W. McAdams) Date: Tue, 27 Feb 2001 09:25:20 -0500 Subject: ISAKMPD/IPsec Issue: Seeking Resolution In-Reply-To: <20010227030904.A10246@pohl.fips.de> Message-ID: All ips have been replaced with [Machine ] in that i'm not interested in publishing addresses of my firewalls to the world at large =) On Tue, 27 Feb 2001, Philipp Buehler wrote: > On 27/02/2001, Brendan W. McAdams wrote To VPN at SECURITYFOCUS.COM: > > ISAKMPD.CONF on Athene: > > [Carp] > > Local-address = [Athene Internet IP] > Eh? > > > Everything looks ok to me. > Not the line about local-address. > > > I could use some help *ASAP* In getting this setup properly. > /usr/share/ipsec/isakmp/VPN-east.conf .. > > So. since the routes are set up, the crpyto config could be > stated ok. At least you could look into debug log [-DA] for > it. Also 'route -n show' shows more understandable results > than a pure netstat. > > ciao > -- > Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | > > #1: Break the clue barrier! > #2: Already had buzzword confuseritis ? > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From lists at FIPS.DE Tue Feb 27 13:15:38 2001 From: lists at FIPS.DE (Philipp Buehler) Date: Tue, 27 Feb 2001 19:15:38 +0100 Subject: reallife experience nokia cluster? Message-ID: <20010227191538.B13556@pohl.fips.de> Hi, just reading about the newer nokia crypto cluster (cc500 .. cc5200) they say '500ms max. failover time' .. any realworld tests out there? I think that's quite fast - if it's true :> A CC5200 is marketingreported to have up to 150Mbit/s 3DES throughput and 30k-tunnels. Failover shall include IKE negotiations in any phase.. I think that's hyped in 500ms :P ciao -- Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | #1: Break the clue barrier! #2: Already had buzzword confuseritis ? VPN is sponsored by SecurityFocus.COM From yquy at ENNOVATENETWORKS.COM Wed Feb 28 10:43:32 2001 From: yquy at ENNOVATENETWORKS.COM (Yen Quy) Date: Wed, 28 Feb 2001 10:43:32 -0500 Subject: Help In-Reply-To: <20010227191124.A13556@pohl.fips.de> Message-ID: Hi, I had been always able to log into my company's network using Compatible System's windows 98 VPN software (IntraPort vpn-5000-win-95-98-4.2.4.3DES) until recently it just stopped working. I kept getting timed out trying logging in. I have a private network in my house using private IP's (192.168.0.x). These computers are connected to a Baystack 350T-24 Ethernet Switch. And this switch is connected to a Netgear RT311 router, and finally this router is connected to Motorola Surfboard cable modem. I understand that I had to turn on NAT in the VPN application to connect to my company's network via VPN. It always worked that way until recently. My company's admin confirmed that he did not change anything in his VPN server, and so did I. I suspect that Charter (my ISP) must have changed something in their firewall. I'm new to all this so any suggestion to solve my problem would be greatly appreciated. Yen VPN is sponsored by SecurityFocus.COM From Joel.Snyder at OPUS1.COM Tue Feb 27 21:06:42 2001 From: Joel.Snyder at OPUS1.COM (Joel M Snyder) Date: Tue, 27 Feb 2001 19:06:42 -0700 Subject: reallife experience nokia cluster? References: <20010227191538.B13556@pohl.fips.de> Message-ID: <3A9C5D33.2D97A85B@opus1.com> Actually, that's not hyped at all. If you read the Network World high-availability VPN review, you can see that the numbers are supported: http://www.nwfusion.com/reviews/2000/1211rev.html The CC5200 will do 180 Mbps full duplex; the limiting speed is the speed of the Ethernet. If you want to go faster, you should get the 5205 which has GE and will do about 220 Mbps. jms Philipp Buehler wrote: > > Hi, > > just reading about the newer nokia crypto cluster (cc500 .. cc5200) > > they say '500ms max. failover time' .. any realworld tests out there? > > I think that's quite fast - if it's true :> > A CC5200 is marketingreported to have up to 150Mbit/s 3DES > throughput and 30k-tunnels. > Failover shall include IKE negotiations in any phase.. > > I think that's hyped in 500ms :P > > ciao > -- > Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | > > #1: Break the clue barrier! > #2: Already had buzzword confuseritis ? > > VPN is sponsored by SecurityFocus.COM -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 +1 520 324 0494 x101 (voice) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One Electronic mail is always the best way to contact me. VPN is sponsored by SecurityFocus.COM From danny at STALLION.OZ.AU Wed Feb 28 01:10:58 2001 From: danny at STALLION.OZ.AU (Danny Smith) Date: Wed, 28 Feb 2001 16:10:58 +1000 Subject: IPSec training resources? Message-ID: Is anyone aware of any good training/tutorial/explanation resources on VPNs in general, and IPSec in particular? I'm currently working on a training course, and would appreciate some ideas on how best to approach the topic. Thanks, ****************************************************************** Danny Smith Network Engineer Stallion Technologies 33 Woodstock Road Phone : +61 7 3270 4249 Toowong, QLD 4066, Australia Fax : +61 7 3270 4245 E-mail danny at stallion.oz.au ePipe - winner of the 2000 Asia Pacific IT&T award for infrastructure innovation www.stallion.com/epipe ****************************************************************** CAUTION: This Message may contain confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you received this message in error please notify the originator of this email message immediately. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Stallion Technologies. VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Wed Feb 28 20:31:38 2001 From: dgillett at NIKU.COM (David Gillett) Date: Wed, 28 Feb 2001 17:31:38 -0800 Subject: vpn won't work due to route caching on NT 4.0 sp6a In-Reply-To: Message-ID: <01cd01c0a1ef$5cea0470$f30410ac@niku.com> We've seen a similar issue, and I think the key is to look at why you need a static address. In our case, the laptops that need a static address do not need that address to be given to anyone else -- they just need a static way to refer to *themselves*. In this case, making one of the NIC addresses static is the wrong solution. The "obvious" solution is to use the universal loopback address of 127.0.0.1, or, in the cases where that doesn't work (I have not had a chance to investigate and understand these...), install the MS Loopback Connector, which by default installs at 10.0.0.1. Either of these allows the NIC addresses to continue to use DHCP. David Gillett Senior Network Engineer (650) 701-2702 Niku Corp. "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Byron Kennedy Sent: Wednesday, February 28, 2001 3:17 PM To: VPN at SECURITYFOCUS.COM Subject: FW: vpn won't work due to route caching on NT 4.0 sp6a I think i remember a discussion thread on a similar topic a month or so ago and are hoping that someone has some insight on this. Client hardware with issues: Dell latitude cpx,csx, NT 4.0 sp 5 or 6a NIC 1: 3com 3c905c in the Dell dock port (enabled on docked HW profile) NIC 2: Xircom REALPORT Cardbus 10/100 LAN, 56k modem (enabled on undocked HW profile) Here's the issue: Our vpn setup is designed such that our clients dialup up Earthlink and connect securely back to our Netscreen firewall via the Netscreen remote client software (IRE OEM) using IPsec. There's been very few problems over the past 1.5 years until recently. Traditionally, we've always used DHCP config for the two network adapters, however recently we've needed to enable static IP on some of these clients. When we do this, and then go to dialup (using xircom modem) in "undocked" mode our VPN will fail, you can't ping internal IP anymore. I've checked the route table on the client and see a route for our local subnet in there with with a gateway of the Xircom NIC, of 10.10.0.0 255.255.0.0 10.10.0.254 (ip of internal lan router) 2 (metric), which is entered from the static IP on the Xircom. There is infact a default gateway of 0.0.0.0, etc assigned to the DUN gateway passed out by Earthlink. However, it would seem, given the route statement above that all packets destined for our internal LAN our routing to the unconnected Xircom LAN adapter and just get dropped by the stack, instead of heading out over the DUN connection and over the VPN. Does anyone have any thoughts on this? I'm hoping there's an explanation and fix on this. Have no trouble with Windows 2000 clients on this. thx for ideas. cheers, byron Byron Kennedy Network Administrator Markettools, Inc. 1 Belvedere Place www.markettools.com www.ztelligence.com www.zoomerang.com MarketTools is the premier applications services provider of Web-based corporate solutions including market research and feedback services. The company helps businesses of all sizes gather the critical information they need to make key business decisions. MarketTools' research and feedback applications are the first phase of its global relationship intelligence network that will link companies with their customers, employees, vendors and shareholders. MarketTools is a privately held company headquartered in Mill Valley, CA. ------ You are subscribed as byron at markettools.com Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to leave-mswinnt-33547U at ls.swynk.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Wed Feb 28 20:58:04 2001 From: dgillett at NIKU.COM (David Gillett) Date: Wed, 28 Feb 2001 17:58:04 -0800 Subject: vpn won't work due to route caching on NT 4.0 sp6a In-Reply-To: <01cd01c0a1ef$5cea0470$f30410ac@niku.com> Message-ID: <01d101c0a1f3$0e10a2b0$f30410ac@niku.com> Oh yeah -- the other approach is to use docked/undocked hardware profiles, or install something like Symantec's "Mobile Essentials" which allows you to select between different network configurations for different locations. David Gillett Senior Network Engineer (650) 701-2702 Niku Corp. "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of David Gillett Sent: Wednesday, February 28, 2001 5:32 PM To: VPN at SECURITYFOCUS.COM Subject: Re: vpn won't work due to route caching on NT 4.0 sp6a We've seen a similar issue, and I think the key is to look at why you need a static address. In our case, the laptops that need a static address do not need that address to be given to anyone else -- they just need a static way to refer to *themselves*. In this case, making one of the NIC addresses static is the wrong solution. The "obvious" solution is to use the universal loopback address of 127.0.0.1, or, in the cases where that doesn't work (I have not had a chance to investigate and understand these...), install the MS Loopback Connector, which by default installs at 10.0.0.1. Either of these allows the NIC addresses to continue to use DHCP. David Gillett Senior Network Engineer (650) 701-2702 Niku Corp. "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Byron Kennedy Sent: Wednesday, February 28, 2001 3:17 PM To: VPN at SECURITYFOCUS.COM Subject: FW: vpn won't work due to route caching on NT 4.0 sp6a I think i remember a discussion thread on a similar topic a month or so ago and are hoping that someone has some insight on this. Client hardware with issues: Dell latitude cpx,csx, NT 4.0 sp 5 or 6a NIC 1: 3com 3c905c in the Dell dock port (enabled on docked HW profile) NIC 2: Xircom REALPORT Cardbus 10/100 LAN, 56k modem (enabled on undocked HW profile) Here's the issue: Our vpn setup is designed such that our clients dialup up Earthlink and connect securely back to our Netscreen firewall via the Netscreen remote client software (IRE OEM) using IPsec. There's been very few problems over the past 1.5 years until recently. Traditionally, we've always used DHCP config for the two network adapters, however recently we've needed to enable static IP on some of these clients. When we do this, and then go to dialup (using xircom modem) in "undocked" mode our VPN will fail, you can't ping internal IP anymore. I've checked the route table on the client and see a route for our local subnet in there with with a gateway of the Xircom NIC, of 10.10.0.0 255.255.0.0 10.10.0.254 (ip of internal lan router) 2 (metric), which is entered from the static IP on the Xircom. There is infact a default gateway of 0.0.0.0, etc assigned to the DUN gateway passed out by Earthlink. However, it would seem, given the route statement above that all packets destined for our internal LAN our routing to the unconnected Xircom LAN adapter and just get dropped by the stack, instead of heading out over the DUN connection and over the VPN. Does anyone have any thoughts on this? I'm hoping there's an explanation and fix on this. Have no trouble with Windows 2000 clients on this. thx for ideas. cheers, byron Byron Kennedy Network Administrator Markettools, Inc. 1 Belvedere Place www.markettools.com www.ztelligence.com www.zoomerang.com MarketTools is the premier applications services provider of Web-based corporate solutions including market research and feedback services. The company helps businesses of all sizes gather the critical information they need to make key business decisions. MarketTools' research and feedback applications are the first phase of its global relationship intelligence network that will link companies with their customers, employees, vendors and shareholders. MarketTools is a privately held company headquartered in Mill Valley, CA. ------ You are subscribed as byron at markettools.com Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to leave-mswinnt-33547U at ls.swynk.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From ashish.chaurasia at CDAC.ERNET.IN Wed Feb 28 23:16:57 2001 From: ashish.chaurasia at CDAC.ERNET.IN (Ashish Chaurasia) Date: Thu, 1 Mar 2001 09:46:57 +0530 Subject: question Message-ID: Q. How the packets are treated differently in Policy Based VPNs as compared to non policy based VPNs ? Q. GIve some detail information about Policy Based VPNs ? VPN is sponsored by SecurityFocus.COM