Netscreen10-VPN

Renuka Nadkarni renuka_nadkarni at YAHOO.COM
Thu Mar 8 20:05:58 EST 2001


--- matthew patton <mep at netsec.net> wrote:
> On Thu, 8 Mar 2001, Renuka Nadkarni wrote:
>
> > untrusted network (214.35.76.4). Now I define host
> > group behind the VPN tunnel as 214.35.76.0/24).
> Then
>
> how on earth did you define a "host group"? And tie
> that into the VPN
> definition?

Most of the VPN vendors allow you to define subnets
behind the gateways that I referred to as host groups.
Remote IDs and local IDs are the same. I ahve not seen
NEtscreen .

>Also, does there have to be traffic destined
> for the device for the
> VPN tunnel to be brought up (eg. pinging the other
> side's private IP) or
> does it come up automatically? Also, is there a way
> to know if a VPN
> tunnel is up (ie. negotiation of phase1/2 success)?

Yes there has to be traffic to set up the tunnel but
in some VPN devices like Lucent managed firewall, the
management station sends the UDP packets as soon as
you configure the tunnel and download policy to the
brick firewall.
Also, each gatewaay has different methods to see if
the tunnel is up. Sure shot way to find out is ping
across the hosts.
Also, you can see details of hte tunnels by doing
sh isa sa or sh ipsec sa on Cisco routers/pix etc or
nice GUIs on some other vendors out there
depending on the vendor again.





> --
> Network Security Technologies Inc. - Commercial
> support for OpenBSD
> www.netsec.net       (703) 561-0420
> matthew.patton at netsec.net
>
> "Government is not reason; it is not eloquence; it
> is force!
>  Like fire, it is a dangerous servant and a fearful
> master."
>   - George Washington
>


__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list