From shannong at texas.net Sun Dec 1 10:30:51 2002 From: shannong at texas.net (shannong) Date: Sun, 1 Dec 2002 09:30:51 -0600 Subject: [VPN] VPN or SSL? In-Reply-To: Message-ID: <000101c2994e$a1d6c160$0101a8c0@asteroid> The 128-bit encryption level of SSL is sufficient in my opinion for data encryption in most cases. Although, IPSec provides better data authenticity services than SSL. The problem I have with SSL access to web sites is that the entire Internet will have access to your web server. Obviously, hacking into a web server is a trivial thing these days. While SSL may provide encryption of your username/password logins and application data, your security problem will be that a server with access to privileged data will be an open target to the Internet. In this scenario, VPNs are better in that a user is authenticated at the ingress point of the network by a device that has few services to exploit. (firewall, VPN concentrator, etc). This means the Internet never gains access to your web server, only validated users. Of course, the VPN solution will provide support for your apps that don't have SSL capability either. SSL accelerator cards simply terminate the users' SSL session in front of the web server, and then pass the session along as clear text to the target web server. This means the server doesn't have to use up its CPU doing encryption. One thing you may want to consider is an SSL acclerator that authenticates the user and then not allow any HTTP access to the app servers. This means that the accelator would be authenticating users at ingress when starting the SSL session. In this way, the Internet at large wouldn't have access to your web servers-- only users already authenticated over SSL. -Shannon -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of James McLintic Sent: Thursday, November 28, 2002 12:49 PM To: vpn at lists.shmoo.com Subject: [VPN] VPN or SSL? Hi All, Can anyone point me in the right direction please? I'm designing a new technical infrastructure for a HR managed services organisation and I'm not sure whether to use VPN or SSL. Essentially my client (customer in this case) will provide web-enabled self-service HR applications delivered over the Internet to their customers who are medium sized organisations. These customer organisations are assumed to have high speed internet access. Now there maybe a need for a few users to use a Win32 app, (SAP GUI) - hence the possible requirement for a VPN. The problem as I see it with a VPN in this case is the headache of managing multiple VPNs to different customer organisations - the box at either end in most cases will need to match and customers may have their own VPN box already. That sounds like something best to avoid! So what about SSL - well it sounds good in that we can select which content is encrypted and which isn't but is there a speed issue with SSL? I know of SSL Accelerator cards which take the load off the servers encryption process but will it adversly affect the user's experience - ie will it be significantly slower than plain http? We will need some form of encryption/security for certain parts of the HR portal but more importantly we need to make the customer organisations feel confident that their data is secure - VPNs may give them more comfort than SSL I think. What does anyone else think? _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From shimons at bll.co.il Mon Dec 2 01:46:41 2002 From: shimons at bll.co.il (Shimon Silberschlag) Date: Mon, 2 Dec 2002 08:46:41 +0200 Subject: [VPN] VPN or SSL? References: <000101c2994e$a1d6c160$0101a8c0@asteroid> Message-ID: <043b01c299ce$95c7b0c0$9a04320a@shimons> > One thing you may want to consider is an SSL > accelerator that authenticates the user and then not allow any HTTP > access to the app servers. Can you specify which products have this capability? Shimon Silberschlag +972-3-9352785 +972-51-207130 ----- Original Message ----- From: "shannong" To: Sent: Sunday, December 01, 2002 17:30 Subject: RE: [VPN] VPN or SSL? > The 128-bit encryption level of SSL is sufficient in my opinion for data > encryption in most cases. Although, IPSec provides better data > authenticity services than SSL. The problem I have with SSL access to > web sites is that the entire Internet will have access to your web > server. Obviously, hacking into a web server is a trivial thing these > days. While SSL may provide encryption of your username/password logins > and application data, your security problem will be that a server with > access to privileged data will be an open target to the Internet. > > In this scenario, VPNs are better in that a user is authenticated at the > ingress point of the network by a device that has few services to > exploit. (firewall, VPN concentrator, etc). This means the Internet > never gains access to your web server, only validated users. > > Of course, the VPN solution will provide support for your apps that > don't have SSL capability either. > > SSL accelerator cards simply terminate the users' SSL session in front > of the web server, and then pass the session along as clear text to the > target web server. This means the server doesn't have to use up its CPU > doing encryption. One thing you may want to consider is an SSL > acclerator that authenticates the user and then not allow any HTTP > access to the app servers. This means that the accelator would be > authenticating users at ingress when starting the SSL session. In this > way, the Internet at large wouldn't have access to your web servers-- > only users already authenticated over SSL. > > -Shannon > > -----Original Message----- > From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On > Behalf Of James McLintic > Sent: Thursday, November 28, 2002 12:49 PM > To: vpn at lists.shmoo.com > Subject: [VPN] VPN or SSL? > > > > Hi All, > > Can anyone point me in the right direction please? I'm designing a new > technical infrastructure for a HR managed services organisation and I'm > not sure whether to use VPN or SSL. Essentially my client (customer in > this > case) will provide web-enabled self-service HR applications delivered > over the Internet to their customers who are medium sized organisations. > These customer organisations are assumed to have high speed internet > access. Now there maybe a need for a few users to use a Win32 app, (SAP > GUI) - hence the possible requirement for a VPN. The problem as I see > it with a VPN in this case is the headache of managing multiple VPNs to > different customer organisations - the box at either end in most cases > will need to match and customers may have their own VPN box already. > That sounds like something best to avoid! So what about SSL - well it > sounds good in that we can select which content is encrypted and which > isn't but is there a speed issue with SSL? I know of SSL Accelerator > cards which take the load off the servers encryption process but will it > adversly affect the user's experience - ie will it be significantly > slower than plain http? We will need some form of encryption/security > for certain parts of the HR portal but more importantly we need to make > the customer organisations feel confident that their data is secure - > VPNs may give them more comfort than SSL I think. > > What does anyone else think? > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn From TomM at spectrum-systems.com Mon Dec 2 11:08:02 2002 From: TomM at spectrum-systems.com (Tom McHugh) Date: Mon, 2 Dec 2002 11:08:02 -0500 Subject: [VPN] Netscreen VPN configuration question Message-ID: <2A0DB5123A51874C82699788F0985ED2064FA6@sith.spectrum-systems.com> If you have firmware upgrade support from NetScreen, you can log into their support site as if you were ready to download the software. On that page you will find a link to download manuals. The one that will probably help the most is the Concepts and Examples Guide, which is filled with some great examples. HTH, Tom Tom McHugh, Senior Systems Engineer mailto:tomm at spectrum-systems.com Spectrum Systems, Inc. "Today's Technology--Solutions for Tomorrow" 11320 Random Hills Road, Suite 630 Fairfax, VA 22030-6001 703-591-7400 x218 703-591-9780 (Fax) http://www.spectrum-systems.com/ Stop struggling with your network! You can save yourself the headache of total network management and save money at the same time by using the help and expertise of experienced professionals. Call us at 800-929-3781 or visit us at http://www.spectrum-systems.com to learn more. > -----Original Message----- > From: yararat [mailto:yararat at go-documenta.com] > Sent: Saturday, November 30, 2002 3:59 PM > To: VPN at lists.shmoo.com > Subject: [VPN] Netscreen VPN configuration question > > > Does any one here has any knowledge on how can I configure > netscreen 5XP > to VPN tunnel to a Road warrior? Can I find any how to documents? > I am trying to set up a small office with a VPN available to some Road > warriors (4 to be exact). I have managed to set up a virtual IP that > works and all the internal network. I am now trying to set up a VPN > tunnel but I cant seem to find any exact documentation on the subject. > I have followed the instructions given with the 5XP cd but nothing > works. > My client is a win2000pro L2TP client. > > > Regards > > Yuval Ararat > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From ILazar at burtongroup.com Mon Dec 2 11:38:38 2002 From: ILazar at burtongroup.com (Irwin Lazar) Date: Mon, 2 Dec 2002 09:38:38 -0700 Subject: [VPN] VPN or SSL? Message-ID: <53BBA8839E91D51194D200902728944ED6474E@bgslc03.burtongroup.com> there are a whole slew of SSL accelerator products out there from companies such as SafeWeb, Intel, Neoteris and others. There is also Aventail, which provides managed SSL VPN services. In our experiences, SSL-based VPNS have proven to be a very attractive solution for enterprises simply looking to provide remote access to web-based applications or applications which use well-known ports. Several of the SSL appliances from vendors mentioned above also support SSL for applications such as Outlook & Notes. We've got a fairly detailed research report on this topic, if you'd like to preview a copy please contact me off-list. thanks, irwin ------ Irwin Lazar Practice Manager, Burton Group www.burtongroup.com ilazar at burtongroup.com Office: 703-742-9659 Cell: 703-402-4119 "DrivingNetworkEvolution" -----Original Message----- From: Shimon Silberschlag [mailto:shimons at bll.co.il] Sent: Monday, December 02, 2002 1:47 AM To: vpn at lists.shmoo.com Subject: Re: [VPN] VPN or SSL? > One thing you may want to consider is an SSL > accelerator that authenticates the user and then not allow any HTTP > access to the app servers. Can you specify which products have this capability? Shimon Silberschlag +972-3-9352785 +972-51-207130 ----- Original Message ----- From: "shannong" To: Sent: Sunday, December 01, 2002 17:30 Subject: RE: [VPN] VPN or SSL? > The 128-bit encryption level of SSL is sufficient in my opinion for data > encryption in most cases. Although, IPSec provides better data > authenticity services than SSL. The problem I have with SSL access to > web sites is that the entire Internet will have access to your web > server. Obviously, hacking into a web server is a trivial thing these > days. While SSL may provide encryption of your username/password logins > and application data, your security problem will be that a server with > access to privileged data will be an open target to the Internet. > > In this scenario, VPNs are better in that a user is authenticated at the > ingress point of the network by a device that has few services to > exploit. (firewall, VPN concentrator, etc). This means the Internet > never gains access to your web server, only validated users. > > Of course, the VPN solution will provide support for your apps that > don't have SSL capability either. > > SSL accelerator cards simply terminate the users' SSL session in front > of the web server, and then pass the session along as clear text to the > target web server. This means the server doesn't have to use up its CPU > doing encryption. One thing you may want to consider is an SSL > acclerator that authenticates the user and then not allow any HTTP > access to the app servers. This means that the accelator would be > authenticating users at ingress when starting the SSL session. In this > way, the Internet at large wouldn't have access to your web servers-- > only users already authenticated over SSL. > > -Shannon > > -----Original Message----- > From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On > Behalf Of James McLintic > Sent: Thursday, November 28, 2002 12:49 PM > To: vpn at lists.shmoo.com > Subject: [VPN] VPN or SSL? > > > > Hi All, > > Can anyone point me in the right direction please? I'm designing a new > technical infrastructure for a HR managed services organisation and I'm > not sure whether to use VPN or SSL. Essentially my client (customer in > this > case) will provide web-enabled self-service HR applications delivered > over the Internet to their customers who are medium sized organisations. > These customer organisations are assumed to have high speed internet > access. Now there maybe a need for a few users to use a Win32 app, (SAP > GUI) - hence the possible requirement for a VPN. The problem as I see > it with a VPN in this case is the headache of managing multiple VPNs to > different customer organisations - the box at either end in most cases > will need to match and customers may have their own VPN box already. > That sounds like something best to avoid! So what about SSL - well it > sounds good in that we can select which content is encrypted and which > isn't but is there a speed issue with SSL? I know of SSL Accelerator > cards which take the load off the servers encryption process but will it > adversly affect the user's experience - ie will it be significantly > slower than plain http? We will need some form of encryption/security > for certain parts of the HR portal but more importantly we need to make > the customer organisations feel confident that their data is secure - > VPNs may give them more comfort than SSL I think. > > What does anyone else think? > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From bet at rahul.net Mon Dec 2 15:07:15 2002 From: bet at rahul.net (Bennett Todd) Date: Mon, 2 Dec 2002 15:07:15 -0500 Subject: [VPN] VPN or SSL? In-Reply-To: References: Message-ID: <20021202200715.GF1073@rahul.net> An interesting question you ask. And the answers have included some interesting points. I'll just add a couple of cents here. (1) Outsourcing HR-related activities is about as sensitive as it gets, for most companies. You need to set the highest standard. This simplifies some parts of your problem: you need to be designing your basic offering around dedicated servers for each customer, so they don't need to worry about accidents exposing their data to other customers of yours. Cheap 1U rackmounts are the way to go here. This in turn means that you're well set to not worry about the CPU overhead of terminating SSL or VPN (the two shouldn't be that radically different); when you're building on a server farm model, CPU is cheap and easy to scale up. (2) My own taste leans towards a series of service offerings, tuned to different application requirements and security needs. Among these would be pre-shared-public-key-authenticated IPSec VPN, client-certificate-authenticated SSL, and SSL with authentication handoff from a client's in-house authentication server using HMAC. Oh, and also unauthenticated SSL into a server with very very tightly written and audited code to forward SecurID auth to a backend server. > The problem as I see it with a VPN in this case is the headache of > managing multiple VPNs to different customer organisations - the > box at either end in most cases will need to match and customers > may have their own VPN box already. I think you may be overstating that problem. IPSec interop is pretty good these days, any solution that a customer of yours has already stabilized on should be able to interop with Linux+FreeS/WAN, or OpenBSD, or a Cisco 3000, or whatever else grooves you. The key is to find the intersection of features and options for which it works. Often that seems to be pre-computed pre-shared public keys, automatic re-keying, 3DES. This is a sound and maintainable configuration. And if you're going to be offering VPN access, you'll probably also want to include as an optional service offering a VPN endpoint box for the client end, which you provide and set up. This appeals to places that haven't yet gotten their VPN act together, and it gives you a comforting fallback position if you should be unable to make your VPN work with theirs. -Bennett -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20021202/9b8b1521/attachment.pgp From tbird at precision-guesswork.com Wed Dec 4 14:27:58 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 4 Dec 2002 19:27:58 +0000 (GMT) Subject: [VPN] [Macsec] New ipsec vpn tool (free) Message-ID: <20021204192653.C27311-100000@sisyphus.iocaine.com> For all those readers out there who need IPsec on Macintoshes... From: thomasv at mac.com Date: Mon, 2 Dec 2002 08:40:21 -0800 To: macsec at macsecurity.org Cc: macsec at securemac.com Subject: [Macsec] New ipsec vpn tool (free) Just was told about a neat new tool at AFP548.com web site. A free ipsec tool that works with sonic wall routers. Not as full featured, or open source as I would like. But it is free, as in free beer. Can be found at http://www.afp548.com/Software/index.html Cheers, Thomas Vincent From support at tradersparadise.com Wed Dec 4 14:34:51 2002 From: support at tradersparadise.com (Trader's Paradise) Date: Wed, 4 Dec 2002 13:34:51 -0600 Subject: [VPN] Intro and looking for a solution Message-ID: Hi, I'm the system admin for the company I work for (KFMI Inc) and I am trying to find a VPN appliance that will fit my needs. We have a proprietary application that will sent multicast traffic to our end users, however we have to establish a VPN in order to deliver the multicast packets off-site. I am trying to find a VPN appliance that I can configure in house to send off site to handle the multicast routing. Currently we are using the VPN services in Win2K but that has been a less than stable solution and it requires a competent user at the offsite location to administer the W2K box on that end. Any suggestions? John Guynn System Administrator support at tradescan.cc From losttoy2000 at yahoo.co.uk Thu Dec 5 08:19:44 2002 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Thu, 5 Dec 2002 13:19:44 +0000 (GMT) Subject: [VPN] Site to site VPN with PIX 515E and NAT before IPSec with access-lists Message-ID: <20021205131945.72268.qmail@web12707.mail.yahoo.com> Hi, I want to establish a VPN tunnel from a PIX to a another IPSec gateway in the following way: Local network: 172.16.22.0. This network should be natted to a global IP, say, 202.125.145.31. Destination host: 10.253.96.1 Remote Peer: 209.206.81.71 Users from 172.16.22.0 should only be able to access the FTP service on the destination host. The local network needs to be natted to a valid IP address because the remote site security policy does not permit any communication with invalid/private IP addresses. The IKE policy for the tunnel would be: HMAC-MD5, 3DES IPSEC SA: ESP-3DES ESP-HMAC-MD5 Could someone advise me on the config to be done on the PIX? I know the IKE and IPSec config to be done but how do I handle access-lists and NAT? Btw, don't try the valid IP addresses listed up there because I have fudged with them. ;) Regards, Siddhartha __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com From Stephen.Hope at energis.com Thu Dec 5 12:37:09 2002 From: Stephen.Hope at energis.com (Stephen Hope) Date: Thu, 5 Dec 2002 17:37:09 -0000 Subject: [VPN] Intro and looking for a solution Message-ID: <73BE32DA9E55D511ACF30050BAEA048702A8ED22@eisemail.energis.co.uk> John, it sounds like you should use something flexible - routers with VPN tunnels may be the most flexible way to do this. I would a Cisco router, and possibly use GRE tunnels, then maybe PIM to handle any multicast routing. Having said all that - i havent done this in anger and i would want at least 3 boxes on a bench for a few days before i would be comfortable that the solution was useful / reliable / supportable etc. Regards Stephen Hope Senior Technical Consultant, Energis Tel: +44 (0)1625 581 032, Mob: +44 (0)780 002 2626 -----Original Message----- From: Trader's Paradise [mailto:support at tradersparadise.com] Sent: 04 December 2002 19:35 To: vpn list Subject: [VPN] Intro and looking for a solution Hi, I'm the system admin for the company I work for (KFMI Inc) and I am trying to find a VPN appliance that will fit my needs. We have a proprietary application that will sent multicast traffic to our end users, however we have to establish a VPN in order to deliver the multicast packets off-site. I am trying to find a VPN appliance that I can configure in house to send off site to handle the multicast routing. Currently we are using the VPN services in Win2K but that has been a less than stable solution and it requires a competent user at the offsite location to administer the W2K box on that end. Any suggestions? John Guynn System Administrator support at tradescan.cc _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn ******************************************************************************************************** This e-mail is from Energis Communications Ltd, 185 Park Street, London, SE1 9DY, United Kingdom, No: 2630471. This e-mail is confidential to the addressee and may be privileged. The views expressed are personal and do not necessarily reflect those of Energis. If you are not the intended recipient please notify the sender immediately by calling our switchboard on +44 (0) 20 7206 5555 and do not disclose to another person or use, copy or forward all or any of it in any form. ******************************************************************************************************** From murthy_d at excite.com Thu Dec 5 22:59:58 2002 From: murthy_d at excite.com (murthy devarakonda) Date: Thu, 5 Dec 2002 22:59:58 -0500 (EST) Subject: [VPN] Regarding NATing and Creating VPN tunnel at single point. Message-ID: <20021206035958.BD0293DF2@xmxpita.excite.com> Hi all, I have to create a VPN tunnel between two PIXs. Inside the LAN we are using Private IP addressing range. On the otherside people doesn't accept Private IP addressing range. I have a basic question, Can I NAT and Create VPN tunnel at my firewall. Please advise me. Thanks in advance. Murthy. _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20021205/246a5a1d/attachment.htm From support at tradersparadise.com Fri Dec 6 08:40:04 2002 From: support at tradersparadise.com (Trader's Paradise) Date: Fri, 6 Dec 2002 07:40:04 -0600 Subject: [VPN] Intro and looking for a solution In-Reply-To: <73BE32DA9E55D511ACF30050BAEA048702A8ED22@eisemail.energis.co.uk> Message-ID: Thanks for the suggestion, unfortunatly my R&D budget for this project is quite low so I'm hoping to find an off the shelf solution. I'm finding it very hard to believe that I'm the only person in the world needing to route non-IPSec compatible (read non-unicast) packets over a VPN. John Guynn System Administrator support at tradersparadise.com -----Original Message----- From: Stephen Hope [mailto:Stephen.Hope at energis.com] Sent: Thursday, December 05, 2002 11:37 AM To: 'Trader's Paradise'; vpn list Subject: RE: [VPN] Intro and looking for a solution John, it sounds like you should use something flexible - routers with VPN tunnels may be the most flexible way to do this. I would a Cisco router, and possibly use GRE tunnels, then maybe PIM to handle any multicast routing. Having said all that - i havent done this in anger and i would want at least 3 boxes on a bench for a few days before i would be comfortable that the solution was useful / reliable / supportable etc. Regards Stephen Hope Senior Technical Consultant, Energis Tel: +44 (0)1625 581 032, Mob: +44 (0)780 002 2626 -----Original Message----- From: Trader's Paradise [mailto:support at tradersparadise.com] Sent: 04 December 2002 19:35 To: vpn list Subject: [VPN] Intro and looking for a solution [snip] We have a proprietary application that will sent multicast traffic to our end users, however we have to establish a VPN in order to deliver the multicast packets off-site. I am trying to find a VPN appliance that I can configure in house to send off site to handle the multicast routing. Currently we are using the VPN services in Win2K but that has been a less than stable solution and it requires a competent user at the offsite location to administer the W2K box on that end. Any suggestions? John Guynn From stevesk at pobox.com Fri Dec 6 21:11:43 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 6 Dec 2002 18:11:43 -0800 Subject: [VPN] Netscreen VPN configuration question In-Reply-To: <2A0DB5123A51874C82699788F0985ED2064FA6@sith.spectrum-systems.com> References: <2A0DB5123A51874C82699788F0985ED2064FA6@sith.spectrum-systems.com> Message-ID: <20021207021143.GD2182@jenny.crlsca.adelphia.net> On Mon, Dec 02, 2002 at 11:08:02AM -0500, Tom McHugh wrote: > If you have firmware upgrade support from NetScreen, you can log into their > support site as if you were ready to download the software. On that page > you will find a link to download manuals. The one that will probably help > the most is the Concepts and Examples Guide, which is filled with some great > examples. manuals are public, though perhaps hard to find: http://www.netscreen.com/support/manuals.html the link is off the TAC page: http://www.netscreen.com/support/technical_assistance.html From losttoy2000 at yahoo.co.uk Sat Dec 7 00:04:09 2002 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Sat, 7 Dec 2002 05:04:09 +0000 (GMT) Subject: [VPN] Regarding NATing and Creating VPN tunnel at single point. In-Reply-To: <20021206035958.BD0293DF2@xmxpita.excite.com> Message-ID: <20021207050409.61757.qmail@web12702.mail.yahoo.com> Hi Murthy, I am facing a similar situation. I wrote to TAC but they say it isn't possible. However, I think it is possible. I cooked up the following config. Try if this works. NAT 172.16.22.0 to the global IP 202.125.145.31: nat (inside) 4 172.16.22.0 255.255.255.0 global (outside) 4 202.125.145.31 Define my interesting traffic: access-list 115 permit ip host 202.125.145.31 host 10.253.96.1 Define access-list 115 as my interesting traffic: crypto map map01 2 match address 115 Use ESP-3DES ESP-HMAC-MD5 as my transform-set. Happy tunneling!!! Regards, Siddhartha --- murthy devarakonda wrote: > > Hi all, > > I have to create a VPN tunnel between two PIXs. > Inside the LAN we are using Private IP addressing > range. On the otherside people doesn't accept > Private IP addressing range. I have a basic > question, Can I NAT and Create VPN tunnel at my > firewall. Please advise me. > > Thanks in advance. > Murthy. > > > > _______________________________________________ > Join Excite! - http://www.excite.com > The most personalized portal on the Web! > __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com From duaned at nocturnal.net Sat Dec 7 11:57:11 2002 From: duaned at nocturnal.net (Duane Davis) Date: Sat, 7 Dec 2002 08:57:11 -0800 Subject: [VPN] VPnet VSU-100R Message-ID: <20021207085711.B5371@cricket.nocturnal.net> I'm in the process of setting up a small neighborhood wireless network and am looking at using VPNs for encryption and authentication. I'm also evaluating it as a possible solution to my clients needs. I recently picked up a VPnet VSU-100R VPN gateway. Unfortunately it doesn't come with remote management software (That's an extra $1000) and there's only enough documentation to get it to the point where you can use the remote management software. Even though it looks like it can be fully configured via the serial console there is no info on how to do it. The specs on this unit are also very vague when it comes to issues of compatability with VPN clients other than thier own $99 client. Since this is a very low budget project I can't afford to spend thousands of dollars more to make this thing work and it appears that the only thing VPnet/Avaya is interested in is more money. They won't even talk to you unless you have a support contract. Is there any help out there? Or am I better off returning this thing and looking at some other product? Thanks, Duane From yararat at go-documenta.com Sat Dec 7 13:31:13 2002 From: yararat at go-documenta.com (yararat) Date: Sat, 7 Dec 2002 20:31:13 +0200 Subject: [VPN] Netscreen VPN configuration question In-Reply-To: <20021207021143.GD2182@jenny.crlsca.adelphia.net> Message-ID: <000401c29e1e$d50e5910$20551840@ts.com> Thank you all guys. I am happy to say that till now I have been in their site all along but never found a document that matches my needs. I am trying to get to a document that defines the process of configuring a IPSec L2TP tunnel using a client of windows 2000. I have never seen a document like this and I have never really made a connection with the appliance using the L2TP IP I got it set to. I know that their client is easy to install but I am wondering why they never made documentation easy and standard. Regards Yuval Ararat Documenta LLC. Office: +1-973-729-5712 Toll Free: 1-866-239-8516 e-Mail: yararat at go-documenta.com -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of Kevin Steves Sent: Saturday, December 07, 2002 4:12 AM To: Tom McHugh Cc: 'yararat at go-documenta.com'; VPN at lists.shmoo.com; stevesk at pobox.com Subject: Re: [VPN] Netscreen VPN configuration question On Mon, Dec 02, 2002 at 11:08:02AM -0500, Tom McHugh wrote: > If you have firmware upgrade support from NetScreen, you can log into their > support site as if you were ready to download the software. On that page > you will find a link to download manuals. The one that will probably help > the most is the Concepts and Examples Guide, which is filled with some great > examples. manuals are public, though perhaps hard to find: http://www.netscreen.com/support/manuals.html the link is off the TAC page: http://www.netscreen.com/support/technical_assistance.html _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From kazuki.kamiya at uniadex.co.jp Sun Dec 8 06:14:49 2002 From: kazuki.kamiya at uniadex.co.jp (kazuki kamiya) Date: Sun, 8 Dec 2002 20:14:49 +0900 Subject: [VPN] VPN3000 and digital certificate Message-ID: Hi all, I'm testing VPN3000 ,but I have a trouble. Does anyone teach me this is a problem of Digital certificate or not? I'm using Easy Cert as CA. ################VPN3000 debug log.####################### . . . . 59 12/08/2002 19:20:50.830 SEV=7 IKEDBG/28 RPT=15 172.16.1.1 IKE SA Proposal # 1, Transform # 2 acceptable Matches global IKE entry # 1 60 12/08/2002 19:20:50.830 SEV=9 IKEDBG/0 RPT=10070 172.16.1.1 constructing ISA_SA for isakmp 61 12/08/2002 19:20:50.830 SEV=9 IKEDBG/46 RPT=70 172.16.1.1 constructing Fragmentation VID + extended capabilities payload 62 12/08/2002 19:20:50.830 SEV=8 IKEDBG/0 RPT=10071 172.16.1.1 SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) total length : 112 64 12/08/2002 19:20:50.920 SEV=8 IKEDBG/0 RPT=10072 172.16.1.1 RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 248 66 12/08/2002 19:20:50.920 SEV=8 IKEDBG/0 RPT=10073 172.16.1.1 RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 248 68 12/08/2002 19:20:50.920 SEV=9 IKEDBG/0 RPT=10074 172.16.1.1 processing ke payload 69 12/08/2002 19:20:50.920 SEV=9 IKEDBG/0 RPT=10075 172.16.1.1 processing ISA_KE 70 12/08/2002 19:20:50.920 SEV=9 IKEDBG/1 RPT=96 172.16.1.1 processing nonce payload 71 12/08/2002 19:20:50.980 SEV=9 IKEDBG/0 RPT=10076 172.16.1.1 constructing ke payload 72 12/08/2002 19:20:50.980 SEV=9 IKEDBG/1 RPT=97 172.16.1.1 constructing nonce payload 73 12/08/2002 19:20:50.980 SEV=9 IKEDBG/0 RPT=10077 172.16.1.1 constructing certreq payload 74 12/08/2002 19:20:50.980 SEV=9 IKEDBG/46 RPT=71 172.16.1.1 constructing Cisco Unity VID payload 75 12/08/2002 19:20:50.980 SEV=9 IKEDBG/46 RPT=72 172.16.1.1 constructing xauth V6 VID payload 76 12/08/2002 19:20:50.980 SEV=9 IKEDBG/48 RPT=29 172.16.1.1 Send IOS VID 77 12/08/2002 19:20:50.980 SEV=9 IKEDBG/38 RPT=15 172.16.1.1 Constructing VPN 3000 spoofing IOS Vendor ID payload (version: 1.0.0, capabiliti es: 20000001) 79 12/08/2002 19:20:50.980 SEV=9 IKEDBG/46 RPT=73 172.16.1.1 constructing VID payload 80 12/08/2002 19:20:50.980 SEV=9 IKEDBG/48 RPT=30 172.16.1.1 Send Altiga GW VID 81 12/08/2002 19:20:50.980 SEV=9 IKEDBG/0 RPT=10078 172.16.1.1 Generating keys for Responder... 82 12/08/2002 19:20:50.980 SEV=8 IKEDBG/0 RPT=10079 172.16.1.1 SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) total length : 421 84 12/08/2002 19:20:51.090 SEV=8 IKEDBG/0 RPT=10080 172.16.1.1 RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + CERT_REQ (7) + SIG (9) + NOTIFY (11) + NONE (0) total length : 1045 87 12/08/2002 19:20:51.090 SEV=9 IKEDBG/1 RPT=98 172.16.1.1 Processing ID 88 12/08/2002 19:20:51.090 SEV=9 IKEDBG/0 RPT=10081 172.16.1.1 processing cert payload 89 12/08/2002 19:20:51.090 SEV=9 IKEDBG/0 RPT=10082 172.16.1.1 processing cert request payload 90 12/08/2002 19:20:51.090 SEV=9 IKEDBG/1 RPT=99 172.16.1.1 processing RSA signature 91 12/08/2002 19:20:51.090 SEV=9 IKEDBG/0 RPT=10083 172.16.1.1 computing hash 92 12/08/2002 19:20:51.100 SEV=9 IKEDBG/0 RPT=10084 172.16.1.1 Processing Notify payload 93 12/08/2002 19:20:51.100 SEV=9 IKEDBG/23 RPT=15 172.16.1.1 Starting group lookup for peer 172.16.1.1 94 12/08/2002 19:20:51.100 SEV=5 IKE/21 RPT=15 172.16.1.1 No Group found by matching IP Address of Cert peer 172.16.1.1 95 12/08/2002 19:20:51.100 SEV=5 CERT/101 RPT=15 Cert group matching feature is disabled 96 12/08/2002 19:20:51.200 SEV=7 IKEDBG/0 RPT=10085 172.16.1.1 Group [abc] Found Phase 1 Group (abc) 97 12/08/2002 19:20:51.200 SEV=7 IKEDBG/14 RPT=29 172.16.1.1 Group [abc] Authentication configured for Internal 98 12/08/2002 19:20:51.200 SEV=9 IKEDBG/19 RPT=23 172.16.1.1 Group [abc] IKEGetUserAttributes: IP Compression = disabled 99 12/08/2002 19:20:51.200 SEV=9 IKEDBG/19 RPT=24 172.16.1.1 Group [abc] IKEGetUserAttributes: Split Tunneling Policy = Disabled 100 12/08/2002 19:20:51.200 SEV=8 CERT/15 RPT=14 CERT_Authenticate(32, 74ad1f8, 572560) 101 12/08/2002 19:20:51.200 SEV=7 CERT/5 RPT=15 Checking revocation status: session = 32 102 12/08/2002 19:20:51.200 SEV=8 CERT/45 RPT=14 CERT_CheckCrlConfig(3a46d30, 0, 0) 103 12/08/2002 19:20:51.210 SEV=7 CERT/1 RPT=16 Certificate is valid: session = 32 104 12/08/2002 19:20:51.210 SEV=9 CERT/0 RPT=14 No CRLs checks necessary. 105 12/08/2002 19:20:51.210 SEV=8 CERT/50 RPT=14 CERT_Callback(3a46d30, 0, 0) 106 12/08/2002 19:20:51.210 SEV=5 IKE/79 RPT=14 172.16.1.1 Group [abc] Validation of certificate successful (CN=client2, SN=04) 107 12/08/2002 19:20:51.210 SEV=7 IKEDBG/0 RPT=10086 172.16.1.1 Group [abc] peer ID type 9 received (DER_ASN1_DN) 108 12/08/2002 19:20:51.210 SEV=9 IKEDBG/1 RPT=100 172.16.1.1 Group [abc] constructing ID 109 12/08/2002 19:20:51.210 SEV=9 IKEDBG/0 RPT=10087 172.16.1.1 Group [abc] constructing cert payload 110 12/08/2002 19:20:51.210 SEV=9 IKEDBG/1 RPT=101 172.16.1.1 Group [abc] constructing RSA signature 111 12/08/2002 19:20:51.210 SEV=9 IKEDBG/0 RPT=10088 172.16.1.1 Group [abc] computing hash 112 12/08/2002 19:20:51.220 SEV=9 IKEDBG/46 RPT=74 172.16.1.1 Group [abc] constructing dpd vid payload 113 12/08/2002 19:20:51.220 SEV=8 IKEDBG/0 RPT=10089 172.16.1.1 SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) total length : 825 115 12/08/2002 19:20:51.650 SEV=8 IKEDBG/0 RPT=10090 172.16.1.1 RECEIVED Message (msgid=3dbd803e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 625 117 12/08/2002 19:20:51.650 SEV=9 IKEDBG/0 RPT=10091 172.16.1.1 Group [abc] processing hash 118 12/08/2002 19:20:51.650 SEV=9 IKEDBG/0 RPT=10092 172.16.1.1 Group [abc] Processing Notify payload 119 12/08/2002 19:20:51.650 SEV=5 IKE/68 RPT=15 172.16.1.1 Group [abc] Received non-routine Notify message: Invalid certificate (20) 120 12/08/2002 19:20:52.220 SEV=9 IKEDBG/0 RPT=10093 172.16.1.1 Group [abc] constructing blank hash 121 12/08/2002 19:20:52.220 SEV=9 IKEDBG/0 RPT=10094 172.16.1.1 Group [abc] constructing qm hash 122 12/08/2002 19:20:52.220 SEV=8 IKEDBG/0 RPT=10095 172.16.1.1 SENDING Message (msgid=7740f5d6) with payloads : HDR + HASH (8) + ATTR (14) total length : 100 From stevesk at pobox.com Sun Dec 8 20:47:46 2002 From: stevesk at pobox.com (Kevin Steves) Date: Sun, 8 Dec 2002 17:47:46 -0800 Subject: [VPN] Netscreen VPN configuration question In-Reply-To: <000401c29e1e$d50e5910$20551840@ts.com> References: <20021207021143.GD2182@jenny.crlsca.adelphia.net> <000401c29e1e$d50e5910$20551840@ts.com> Message-ID: <20021209014746.GA1338@jenny.crlsca.adelphia.net> On Sat, Dec 07, 2002 at 08:31:13PM +0200, yararat wrote: > Thank you all guys. > I am happy to say that till now I have been in their site all along but > never found a document that matches my needs. I am trying to get to a > document that defines the process of configuring a IPSec L2TP tunnel > using a client of windows 2000. I have never seen a document like this > and I have never really made a connection with the appliance using the > L2TP IP I got it set to. I know that their client is easy to install but > I am wondering why they never made documentation easy and standard. there is L2TP info in chapter 5 of this manual: http://www.netscreen.com/support/downloads/CE_v4_vpns.pdf From gclef at speakeasy.net Mon Dec 9 15:52:20 2002 From: gclef at speakeasy.net (gclef at speakeasy.net) Date: Mon, 9 Dec 2002 12:52:20 -0800 Subject: [VPN] multiple VPNs *through* checkpoint Message-ID: <20021209205220.18659.qmail@webmail.speakeasy.net> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20021209/7dfa4a55/attachment.txt From osmond at holburn.com Mon Dec 9 16:05:38 2002 From: osmond at holburn.com (Chad Osmond) Date: Mon, 9 Dec 2002 16:05:38 -0500 Subject: [VPN] Netscreen and DSL Gateways Message-ID: <00a401c29fc6$b9c03e40$6d01a8c0@HOLBURN1000> Hello, Anyone had any experience with Netscreen's and Residential (Cheap) DSL/Cable Gateways with VPN support built it? I've looked into the D-Link 804V and Linksys Broadband router with VPN, neither seemed all that great (Support was even worst). Netscreens on the remote side would be a dream, but they're pretty expensive these days. Thanks, Chad From support at tradersparadise.com Tue Dec 10 13:21:57 2002 From: support at tradersparadise.com (Trader's Paradise) Date: Tue, 10 Dec 2002 12:21:57 -0600 Subject: [VPN] Linux as a VPN os Message-ID: Ok, since I have yet to find a pre-built VPN appliance that will forward multicast packets what is the possibility of using Linux to do the job? Is this something that would be doable for a Linux newbie (ie would it be relativly easy to learn)? Thanks in advance, John Guynn System Administrator support at tradersparadise.com From lists at hindenes.com Tue Dec 10 13:24:32 2002 From: lists at hindenes.com (Trond Hindenes) Date: Tue, 10 Dec 2002 19:24:32 +0100 Subject: [VPN] How to configure cisco PIX bith both site-to-site VPN tunnel and VPN hosts for software-based clients? Message-ID: <1876A880186F694787331FB946C503FE16C027@exch01-osl.columbus.no> I am having much trouble finding info on this: The problem is, of course that whenever I search for information on how to set up my pix to to one specific task (ie web server publishing, internet access, whatever), I am having no trouble. The thing is, I need to set my PIX up to do the following: My PIX is a 515 R with 3 network interfaces, outside, inside, and DMZ -Internet gateway -Publish web server -Publish mail server -VPN Tunnel site-to-site to another office (they are using Checkpoint FW1) -VPN Server for Software-based Cisco VPN Clients, authenticate with internal radius server I have successfully set up my pix to do each of these tasks, and now it runs the site-to-site config mentioned. The problem is, I simply can not find any info that thoroughly describes the different config lines (this goes especially for the VPN Part) so that I intelligently can set it up like I want to. I would deeply appreciate any suggestions, both on where to look for good info, and also hints on the config. Below is my network overview and my current site-to-site config: Internal network: 10.1.1.0 netmask 255.255.255.0 Internal PIX address: 10.1.1.14 Internal address of SMTP Server to be published: 10.1.1.85 (sits in LAN) External PIX address 217.199.32.130 netmask 255.255.255.248 External router: 217.199.32.129 DMZ network: 172.16.1.0 255.255.255.0 Web server in DMZ: 172.16.1.2 Config of Site-to -site tunnel: PIX Version 6.1(4) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password i/ZPsK.7emNNRpuK encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixgateway domain-name columbus.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list 101 permit ip 10.1.1.0 255.255.255.0 157.237.128.0 255.255.224.0 access-list 101 permit ip 157.238.128.0 255.255.224.0 10.1.1.0 255.255.255.0 access-list 101 permit ip 10.1.1.0 255.255.255.0 157.237.176.0 255.255.248.0 access-list 101 permit ip 157.238.176.0 255.255.248.0 10.1.1.0 255.255.255.0 access-list 102 permit ip 157.238.128.0 255.255.224.0 10.1.1.0 255.255.255.0 access-list 102 permit ip 157.238.176.0 255.255.248.0 10.1.1.0 255.255.255.0 access-list 102 permit icmp any any access-list inside_access_in permit icmp any any pager lines 24 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 217.199.32.130 255.255.255.248 ip address inside 10.1.1.14 255.255.255.0 ip address dmz 172.16.1.1 255.255.0.0 ip audit info action alarm ip audit attack action alarm ip local pool ippool 10.1.1.175-10.1.2.254 pdm location 10.1.1.60 255.255.255.255 inside pdm location 10.1.1.188 255.255.255.255 inside pdm location 10.1.1.134 255.255.255.255 inside pdm location 172.16.1.2 255.255.255.255 dmz pdm location 10.1.1.0 255.255.255.0 inside pdm location 10.1.1.63 255.255.255.255 inside pdm location 10.1.1.201 255.255.255.255 inside pdm location 172.16.1.0 255.255.255.0 dmz pdm history enable arp timeout 14400 global (outside) 1 217.199.32.131 global (outside) 2 217.199.32.132 nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 102 in interface outside access-group inside_access_in in interface inside conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 217.199.32.129 10 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server partnerauth protocol radius http server enable http 10.1.1.60 255.255.255.255 inside http 10.1.1.0 255.255.255.0 inside http 10.1.1.134 255.255.255.255 inside http 10.1.1.63 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 10.1.1.188 pixconfig11112002_01 floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set pixset esp-des esp-sha-hmac crypto map testmap 10 ipsec-isakmp crypto map testmap 10 match address 101 crypto map testmap 10 set peer 195.140.24.167 crypto map testmap 10 set transform-set pixset crypto map testmap interface outside isakmp enable outside isakmp key ******** address 195.140.24.167 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup vpn3000 address-pool ippool vpngroup vpn3000 dns-server 10.1.1.60 vpngroup vpn3000 wins-server 10.1.1.60 vpngroup vpn3000 default-domain columbus.com vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password ******** telnet 10.1.1.0 255.255.255.0 inside telnet 10.1.1.188 255.255.255.255 inside telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:e39030a9b2db4c0dac66931a7ff7d1f8 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20021210/f992ce3d/attachment.htm From joshv at bcgsys.com Tue Dec 10 13:29:19 2002 From: joshv at bcgsys.com (Joshua Vince) Date: Tue, 10 Dec 2002 13:29:19 -0500 Subject: [VPN] multiple VPNs *through* checkpoint Message-ID: <127D9E8872144749A56C77E94025D1451CB723@akrn09.stw.com> I haven't tried this, but it probably won't work. UPD 500 will pass through many firewall implementations of many-one NAT, but IP Protocol 50 or 51 (ESP and AH) won't. This is because there is no way to port-map an IP Protocol. It should work with a one-one NAT though. Josh -----Original Message----- From: gclef at speakeasy.net [mailto:gclef at speakeasy.net] Sent: Monday, December 09, 2002 3:52 PM To: vpn at shmoo.com Subject: [VPN] multiple VPNs *through* checkpoint So, I've got an interesting question: has anyone tried to pass multiple IPSec VPNs through (ie not terminating at) a Checkpoint Firewall? (especially one that's doing a many-one NAT) I'm wondering how the firewall will handle the need for udp port 500 traffic (inbound through the firewall) to do the VPN keying. Anyone try this yet? Thanks. Aaron _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From Travis.Watson at Honeywell.com Tue Dec 10 13:32:08 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Tue, 10 Dec 2002 11:32:08 -0700 Subject: [VPN] multiple VPNs *through* checkpoint Message-ID: Aaron, I've done it through a PIX, but not Checkpoint. The basics are the same, I would imagine though. Just allow for IPSec src and dst from either specific IPs or "any." --Travis -----Original Message----- From: gclef at speakeasy.net [mailto:gclef at speakeasy.net] Sent: Monday, December 09, 2002 1:52 PM To: vpn at shmoo.com Subject: [VPN] multiple VPNs *through* checkpoint So, I've got an interesting question: has anyone tried to pass multiple IPSec VPNs through (ie not terminating at) a Checkpoint Firewall? (especially one that's doing a many-one NAT) I'm wondering how the firewall will handle the need for udp port 500 traffic (inbound through the firewall) to do the VPN keying. Anyone try this yet? Thanks. Aaron _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From dave at ascomputer.com Tue Dec 10 13:37:17 2002 From: dave at ascomputer.com (Dave Sroelov) Date: Tue, 10 Dec 2002 10:37:17 -0800 Subject: [VPN] Netscreen and DSL Gateways References: <00a401c29fc6$b9c03e40$6d01a8c0@HOLBURN1000> Message-ID: <3DF6345D.74DB5F60@ascomputer.com> chad, i've adopted the netscreen 5XP as my remote gateway of choice. after having used all of the $400-$500 (give or take) boxes, the netscreen is by far the most reliable and versatile. you can configure just about anything in the box and that makes it a dream to work with, particularly when the box on the other end might be a little fussy. i have also tried three or four of the "home gateway" gizmos by linksys and netscreen, and have found them to be a royal pain. if they work, great. if not, oh well. alot of people like them, and that's ok. but from a commercial perspective, and most of the VPN gateways would be connecting to a central network, it's just not worth saving the $300. when you figure in the support costs associated with VPN's, it's much more reasonable to just spend the extra money up front and get something that works and stays working. dave Chad Osmond wrote: > Hello, > > Anyone had any experience with Netscreen's and Residential (Cheap) DSL/Cable > Gateways with VPN support built it? > > I've looked into the D-Link 804V and Linksys Broadband router with VPN, > neither seemed all that great (Support was even worst). > > Netscreens on the remote side would be a dream, but they're pretty expensive > these days. > > Thanks, > > Chad > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -------------- next part -------------- A non-text attachment was scrubbed... Name: dave.vcf Type: text/x-vcard Size: 294 bytes Desc: Card for Dave Sroelov Url : http://lists.shmoo.com/pipermail/vpn/attachments/20021210/9e339c60/attachment.vcf From sbest at best.com Tue Dec 10 13:54:16 2002 From: sbest at best.com (Scott C. Best) Date: Tue, 10 Dec 2002 18:54:16 +0000 (GMT) Subject: [VPN] multiple VPNs *through* checkpoint In-Reply-To: <127D9E8872144749A56C77E94025D1451CB723@akrn09.stw.com> Message-ID: An off-the-wall suggestion: when I was working on the echoWall firewall script for the LEAF Linux distro, I used the "ipfwd" utility to forward IP protocols 50 and 51 across the firewall (and 47 for PPTP). Interestingly...if I forwarded them to the broadcast address of the LAN, then multiple VPN clients could work behind the many-to-one NAT'ing firewall. The IPSec clients were, apparently, smart enough to extract signal from noise. cheers, Scott On Tue, 10 Dec 2002, Joshua Vince wrote: > I haven't tried this, but it probably won't work. UPD 500 will pass > through many firewall implementations of many-one NAT, but IP Protocol > 50 or 51 (ESP and AH) won't. This is because there is no way to > port-map an IP Protocol. It should work with a one-one NAT though. > > Josh > > -----Original Message----- > From: gclef at speakeasy.net [mailto:gclef at speakeasy.net] > Sent: Monday, December 09, 2002 3:52 PM > To: vpn at shmoo.com > Subject: [VPN] multiple VPNs *through* checkpoint > > > So, I've got an interesting question: has anyone tried to pass multiple > IPSec VPNs through (ie not terminating at) a Checkpoint Firewall? > (especially one that's doing a many-one NAT) > > I'm wondering how the firewall will handle the need for udp port 500 > traffic (inbound through the firewall) to do the VPN keying. > > Anyone try this yet? > > Thanks. > > Aaron > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From tbird at precision-guesswork.com Tue Dec 10 13:27:54 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Tue, 10 Dec 2002 18:27:54 +0000 (GMT) Subject: [VPN] multiple VPNs *through* checkpoint In-Reply-To: <20021209205220.18659.qmail@webmail.speakeasy.net> Message-ID: <20021210182606.I8279-100000@sisyphus.iocaine.com> On Mon, 9 Dec 2002, gclef at speakeasy.net wrote: > So, I've got an interesting question: has anyone tried to pass multiple IPSec VPNs through (ie not terminating at) a Checkpoint Firewall? (especially one that's doing a many-one NAT) > > I'm wondering how the firewall will handle the need for udp port 500 traffic (inbound through the firewall) to do the VPN keying. > Badly, probably ;-) The big thing to be aware of is that in order for IKE negotiation to succeed, both source and destination UDP ports must be 500. So you have to configure the firewalls to pass through the original ports without modifying them. Otherwise the destination machine can't tell it's dealing with IKE. > Anyone try this yet? > I don't know off the top of my head how to do this on a Checkpoint. Look for something including words like "port translation" or PAT... tbird From Travis.Watson at Honeywell.com Tue Dec 10 14:36:36 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Tue, 10 Dec 2002 12:36:36 -0700 Subject: [VPN] multiple VPNs *through* checkpoint Message-ID: Oops--Josh read it more carefully than me, Aaron. The Many-to-1 would almost definitely kill it, yes. --Travis -----Original Message----- From: Joshua Vince [mailto:joshv at bcgsys.com] Sent: Tuesday, December 10, 2002 11:29 AM To: gclef at speakeasy.net; vpn at shmoo.com Subject: RE: [VPN] multiple VPNs *through* checkpoint I haven't tried this, but it probably won't work. UPD 500 will pass through many firewall implementations of many-one NAT, but IP Protocol 50 or 51 (ESP and AH) won't. This is because there is no way to port-map an IP Protocol. It should work with a one-one NAT though. Josh -----Original Message----- From: gclef at speakeasy.net [mailto:gclef at speakeasy.net] Sent: Monday, December 09, 2002 3:52 PM To: vpn at shmoo.com Subject: [VPN] multiple VPNs *through* checkpoint So, I've got an interesting question: has anyone tried to pass multiple IPSec VPNs through (ie not terminating at) a Checkpoint Firewall? (especially one that's doing a many-one NAT) I'm wondering how the firewall will handle the need for udp port 500 traffic (inbound through the firewall) to do the VPN keying. Anyone try this yet? Thanks. Aaron _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From charrington at syseng.com Tue Dec 10 14:38:28 2002 From: charrington at syseng.com (Christopher Harrington) Date: Tue, 10 Dec 2002 14:38:28 -0500 Subject: [VPN] Client VPN connection over PPOE?? Message-ID: All, I have Verzion DSL (PPOE) at home and would like to connect to my Work VPN (Cisco client connecting to a PIX). Is this possible? I have seen people say yes and no. Thanks, Chris From mail at meiremania.com Tue Dec 10 14:37:36 2002 From: mail at meiremania.com (meiremania.com) Date: Tue, 10 Dec 2002 20:37:36 +0100 Subject: [VPN] Linux as a VPN os References: Message-ID: <091c01c2a083$98fbe480$0301a8c0@saddam> Just check out freeswan.org. Linux has many good features as VPN-OS. Just look in the freeswan documentation and you will see the VPN-prebuilt distributions. Although look at FreeBSD also, it rocks more than Linux :D greetz Johan Meire meiremania.com ----- Original Message ----- From: "Trader's Paradise" To: "vpn list" Sent: Tuesday, December 10, 2002 7:21 PM Subject: [VPN] Linux as a VPN os > Ok, since I have yet to find a pre-built VPN appliance that will forward > multicast packets what is the possibility of using Linux to do the job? Is > this something that would be doable for a Linux newbie (ie would it be > relativly easy to learn)? > > Thanks in advance, > > John Guynn > System Administrator > support at tradersparadise.com > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From tbird at precision-guesswork.com Tue Dec 10 14:43:11 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Tue, 10 Dec 2002 19:43:11 +0000 (GMT) Subject: [VPN] multiple VPNs *through* checkpoint In-Reply-To: <127D9E8872144749A56C77E94025D1451CB723@akrn09.stw.com> Message-ID: <20021210191435.D9953-100000@sisyphus.iocaine.com> On Tue, 10 Dec 2002, Joshua Vince wrote: > I haven't tried this, but it probably won't work. UPD 500 will pass > through many firewall implementations of many-one NAT, but IP Protocol > 50 or 51 (ESP and AH) won't. This is because there is no way to > port-map an IP Protocol. It should work with a one-one NAT though. > no no no -- i need to write a FAQ for this... AH won't work with NAT because it does per-packet authentication. NAT changes the headers in transit so the integrity checks fail. ESP can work in a NAT environment if it is configured to not do the per-packet integrity checks. IKE will only work in a NAT environment if the NAT-ting device leaves the source and destination ports alone. dst ports are normally left alone, of course. the source ports are frequently modified by address translating devices, which breaks IKE. now, all of this was the case up until the time that vendors started tunneling IPsec over UDP, to avoid the NAT problems. i'm not very up on that technology, and i'm not sure how it changes things -- maybe someone on the list who's used it could tell us? From joshv at bcgsys.com Tue Dec 10 14:48:05 2002 From: joshv at bcgsys.com (Joshua Vince) Date: Tue, 10 Dec 2002 14:48:05 -0500 Subject: [VPN] multiple VPNs *through* checkpoint Message-ID: <127D9E8872144749A56C77E94025D1451CB730@akrn09.stw.com> You are correct. I misspoke. AH will NOT work, but ESP will with some/most vendor's implementations of one-one NAT. I was more trying to show why it WOULDN'T work with many-one NAT. -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Tuesday, December 10, 2002 2:43 PM To: Joshua Vince Cc: vpn at lists.shmoo.com; gclef at speakeasy.net Subject: RE: [VPN] multiple VPNs *through* checkpoint On Tue, 10 Dec 2002, Joshua Vince wrote: > I haven't tried this, but it probably won't work. UPD 500 will pass > through many firewall implementations of many-one NAT, but IP Protocol > 50 or 51 (ESP and AH) won't. This is because there is no way to > port-map an IP Protocol. It should work with a one-one NAT though. > no no no -- i need to write a FAQ for this... AH won't work with NAT because it does per-packet authentication. NAT changes the headers in transit so the integrity checks fail. ESP can work in a NAT environment if it is configured to not do the per-packet integrity checks. IKE will only work in a NAT environment if the NAT-ting device leaves the source and destination ports alone. dst ports are normally left alone, of course. the source ports are frequently modified by address translating devices, which breaks IKE. now, all of this was the case up until the time that vendors started tunneling IPsec over UDP, to avoid the NAT problems. i'm not very up on that technology, and i'm not sure how it changes things -- maybe someone on the list who's used it could tell us? From joshv at bcgsys.com Tue Dec 10 15:16:25 2002 From: joshv at bcgsys.com (Joshua Vince) Date: Tue, 10 Dec 2002 15:16:25 -0500 Subject: [VPN] Client VPN connection over PPOE?? Message-ID: <127D9E8872144749A56C77E94025D1451CB735@akrn09.stw.com> I just set this up for a client using Ameritech DSL using PPPoE 2 days ago. Went fine once we found out that the "Pop-Up Stopper" she had installed was stopping the Cisco VPN client from working. Also if you are running a personal firewall, some tweaks will need done. Josh -----Original Message----- From: Christopher Harrington [mailto:charrington at syseng.com] Sent: Tuesday, December 10, 2002 2:38 PM To: vpn at shmoo.com Subject: [VPN] Client VPN connection over PPOE?? All, I have Verzion DSL (PPOE) at home and would like to connect to my Work VPN (Cisco client connecting to a PIX). Is this possible? I have seen people say yes and no. Thanks, Chris _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From safieradam at hotmail.com Tue Dec 10 16:59:53 2002 From: safieradam at hotmail.com (safieradam) Date: Tue, 10 Dec 2002 16:59:53 -0500 Subject: [VPN] multiple VPNs *through* checkpoint References: <20021210182606.I8279-100000@sisyphus.iocaine.com> Message-ID: My 4.1 Admin manual had an example of doing something like that. If you have a front end gateway covering a large security domain and then define additional gateways each covering a security subdomain then the VPN traffic is supposed to get carried to the security subdomain. The security subdomain of the "inner" VPN gateway had to be entirely within the subdomain of the "external" gateway. i.e. if VPN A security domain is 10.1.0.0/16, VPN B could be 10.1.1.0/24, VPN C could be 10.1.2.0/24. You could not have VPN C at 10.2.0.0/24 because 10.2 is outside VPN A's domain. An SE also told me that NG will allow VPN forwarding, but I have not checked into it yet. Adam ----- Original Message ----- From: "Tina Bird" To: Cc: Sent: Tuesday, December 10, 2002 1:27 PM Subject: Re: [VPN] multiple VPNs *through* checkpoint > On Mon, 9 Dec 2002, gclef at speakeasy.net wrote: > > > So, I've got an interesting question: has anyone tried to pass multiple IPSec VPNs through (ie not terminating at) a Checkpoint Firewall? (especially one that's doing a many-one NAT) > > > > I'm wondering how the firewall will handle the need for udp port 500 traffic (inbound through the firewall) to do the VPN keying. > > > Badly, probably ;-) The big thing to be aware of is that in order for IKE > negotiation to succeed, both source and destination UDP ports must be 500. > So you have to configure the firewalls to pass through the original ports > without modifying them. Otherwise the destination machine can't tell it's > dealing with IKE. > > > Anyone try this yet? > > > I don't know off the top of my head how to do this on a Checkpoint. Look > for something including words like "port translation" or PAT... > > tbird > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From BSingh at Nomadix.com Tue Dec 10 19:56:54 2002 From: BSingh at Nomadix.com (BSingh at Nomadix.com) Date: Tue, 10 Dec 2002 16:56:54 -0800 Subject: [VPN] multiple VPNs *through* checkpoint Message-ID: <89680B404BA1DD419E6D93B28B41899BA7F139@01mail.nomadix.com> ESP would work (sort of) if you would use the SPIs as the equivalent information to ports in TCP/UDP.. Lots of implementations including the VPN-masquerade in Linux do that.. The VPN-masquerade How-to gives a good explanation of the concept. Again this is just ESP and that too in tunnel mode because transport mode IPsec would cause a checksum fail in the transport layer due to changed addresses.. The SPI-tracking solution is not 100% reliable but a workable alternative.. The equivalent tracking in IKE can be done via the icookie and rcookie in the IKE payload.. -Bik > -----Original Message----- > From: Joshua Vince [mailto:joshv at bcgsys.com] > Sent: Tuesday, December 10, 2002 11:48 AM > To: Tina Bird > Cc: vpn at lists.shmoo.com; gclef at speakeasy.net > Subject: RE: [VPN] multiple VPNs *through* checkpoint > > > You are correct. I misspoke. AH will NOT work, but ESP will > with some/most vendor's implementations of one-one NAT. > > I was more trying to show why it WOULDN'T work with many-one NAT. > > -----Original Message----- > From: Tina Bird [mailto:tbird at precision-guesswork.com] > Sent: Tuesday, December 10, 2002 2:43 PM > To: Joshua Vince > Cc: vpn at lists.shmoo.com; gclef at speakeasy.net > Subject: RE: [VPN] multiple VPNs *through* checkpoint > > > On Tue, 10 Dec 2002, Joshua Vince wrote: > > > I haven't tried this, but it probably won't work. UPD 500 will pass > > through many firewall implementations of many-one NAT, but > IP Protocol > > > 50 or 51 (ESP and AH) won't. This is because there is no way to > > port-map an IP Protocol. It should work with a one-one NAT though. > > > no no no -- i need to write a FAQ for this... > > AH won't work with NAT because it does per-packet > authentication. NAT changes the headers in transit so the > integrity checks fail. > > ESP can work in a NAT environment if it is configured to not > do the per-packet integrity checks. > > IKE will only work in a NAT environment if the NAT-ting > device leaves the source and destination ports alone. dst > ports are normally left alone, of course. the source ports > are frequently modified by address translating devices, which > breaks IKE. > > now, all of this was the case up until the time that vendors > started tunneling IPsec over UDP, to avoid the NAT problems. > i'm not very up on that technology, and i'm not sure how it > changes things -- maybe someone on the list who's used it > could tell us? > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From losttoy2000 at yahoo.co.uk Wed Dec 11 02:04:18 2002 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Wed, 11 Dec 2002 07:04:18 +0000 (GMT) Subject: [VPN] How to configure cisco PIX bith both site-to-site VPN tunnel and VPN hosts for software-based clients? In-Reply-To: <1876A880186F694787331FB946C503FE16C027@exch01-osl.columbus.no> Message-ID: <20021211070418.87309.qmail@web12705.mail.yahoo.com> You have setup the box to do the tasks below. Its working fine. Now what more do you want to do?? --- Trond Hindenes wrote: > I am having much trouble finding info on this: > > > > The problem is, of course that whenever I search for > information on how to > set up my pix to to one specific task (ie web server > publishing, internet > access, whatever), I am having no trouble. The thing > is, I need to set my > PIX up to do the following: > > > > My PIX is a 515 R with 3 network interfaces, > outside, inside, and DMZ > > > > -Internet gateway > > -Publish web server > > -Publish mail server > > -VPN Tunnel site-to-site to another office (they are > using Checkpoint FW1) > > -VPN Server for Software-based Cisco VPN Clients, > authenticate with internal > radius server > > > > I have successfully set up my pix to do each of > these tasks, and now it runs > the site-to-site config mentioned. The problem is, I > simply can not find any > info that thoroughly describes the different config > lines (this goes > especially for the VPN Part) so that I intelligently > can set it up like I > want to. > > > > I would deeply appreciate any suggestions, both on > where to look for good > info, and also hints on the config. Below is my > network overview and my > current site-to-site config: > > > > Internal network: 10.1.1.0 netmask 255.255.255.0 > > Internal PIX address: 10.1.1.14 > > Internal address of SMTP Server to be published: > 10.1.1.85 (sits in LAN) > > External PIX address 217.199.32.130 netmask > 255.255.255.248 > > External router: 217.199.32.129 > > DMZ network: 172.16.1.0 255.255.255.0 > > Web server in DMZ: 172.16.1.2 > > > > Config of Site-to -site tunnel: > > > > PIX Version 6.1(4) > > nameif ethernet0 outside security0 > > nameif ethernet1 inside security100 > > nameif ethernet2 dmz security50 > > enable password i/ZPsK.7emNNRpuK encrypted > > passwd 2KFQnbNIdI.2KYOU encrypted > > hostname pixgateway > > domain-name columbus.com > > fixup protocol ftp 21 > > fixup protocol http 80 > > fixup protocol h323 1720 > > fixup protocol rsh 514 > > fixup protocol rtsp 554 > > fixup protocol smtp 25 > > fixup protocol sqlnet 1521 > > fixup protocol sip 5060 > > fixup protocol skinny 2000 > > names > > access-list 101 permit ip 10.1.1.0 255.255.255.0 > 157.237.128.0 255.255.224.0 > > > access-list 101 permit ip 157.238.128.0 > 255.255.224.0 10.1.1.0 255.255.255.0 > > > access-list 101 permit ip 10.1.1.0 255.255.255.0 > 157.237.176.0 255.255.248.0 > > > access-list 101 permit ip 157.238.176.0 > 255.255.248.0 10.1.1.0 255.255.255.0 > > > access-list 102 permit ip 157.238.128.0 > 255.255.224.0 10.1.1.0 255.255.255.0 > > > access-list 102 permit ip 157.238.176.0 > 255.255.248.0 10.1.1.0 255.255.255.0 > > > access-list 102 permit icmp any any > > access-list inside_access_in permit icmp any any > > pager lines 24 > > interface ethernet0 auto > > interface ethernet1 auto > > interface ethernet2 auto > > mtu outside 1500 > > mtu inside 1500 > > mtu dmz 1500 > > ip address outside 217.199.32.130 255.255.255.248 > > ip address inside 10.1.1.14 255.255.255.0 > > ip address dmz 172.16.1.1 255.255.0.0 > > ip audit info action alarm > > ip audit attack action alarm > > ip local pool ippool 10.1.1.175-10.1.2.254 > > pdm location 10.1.1.60 255.255.255.255 inside > > pdm location 10.1.1.188 255.255.255.255 inside > > pdm location 10.1.1.134 255.255.255.255 inside > > pdm location 172.16.1.2 255.255.255.255 dmz > > pdm location 10.1.1.0 255.255.255.0 inside > > pdm location 10.1.1.63 255.255.255.255 inside > > pdm location 10.1.1.201 255.255.255.255 inside > > pdm location 172.16.1.0 255.255.255.0 dmz > > pdm history enable > > arp timeout 14400 > > global (outside) 1 217.199.32.131 > > global (outside) 2 217.199.32.132 > > nat (inside) 0 access-list 101 > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > > access-group 102 in interface outside > > access-group inside_access_in in interface inside > > conduit permit icmp any any > > route outside 0.0.0.0 0.0.0.0 217.199.32.129 10 > === message truncated === __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com From evyncke at cisco.com Wed Dec 11 02:46:49 2002 From: evyncke at cisco.com (Eric Vyncke) Date: Wed, 11 Dec 2002 08:46:49 +0100 Subject: [VPN] multiple VPNs *through* checkpoint In-Reply-To: <20021210191435.D9953-100000@sisyphus.iocaine.com> References: <127D9E8872144749A56C77E94025D1451CB723@akrn09.stw.com> Message-ID: <5.1.0.14.2.20021211084454.0f29bae8@brussels.cisco.com> Tina, Minor detail: ESP will always work even with integrity check because the integrity check of ESP does not cover the IP header (AH covers the IP header hence the issue). Another minor detail: only tunnel mode will go through NAT (transport mode fails because IKE negotiated protected entities are the IP addresses that are translated => IKE negotiate some SA but the traffic will not match those SA after NAT) Hope this helps -eric At 19:43 10/12/2002 +0000, Tina Bird wrote: >On Tue, 10 Dec 2002, Joshua Vince wrote: > >> I haven't tried this, but it probably won't work. UPD 500 will pass >> through many firewall implementations of many-one NAT, but IP Protocol >> 50 or 51 (ESP and AH) won't. This is because there is no way to >> port-map an IP Protocol. It should work with a one-one NAT though. >> >no no no -- i need to write a FAQ for this... > >AH won't work with NAT because it does per-packet authentication. NAT >changes the headers in transit so the integrity checks fail. > >ESP can work in a NAT environment if it is configured to not do the >per-packet integrity checks. > >IKE will only work in a NAT environment if the NAT-ting device leaves the >source and destination ports alone. dst ports are normally left alone, of >course. the source ports are frequently modified by address translating >devices, which breaks IKE. > >now, all of this was the case up until the time that vendors started >tunneling IPsec over UDP, to avoid the NAT problems. i'm not very up on >that technology, and i'm not sure how it changes things -- maybe someone >on the list who's used it could tell us? > > >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn From adm_sis at yahoo.es Wed Dec 11 12:31:01 2002 From: adm_sis at yahoo.es (=?iso-8859-1?q?Carlos=20L.M.?=) Date: Wed, 11 Dec 2002 18:31:01 +0100 (CET) Subject: [VPN] Problems with NAT rules on SecurePlatform NG FP3 Message-ID: <20021211173101.85043.qmail@web12807.mail.yahoo.com> Hi all, I have a problem with one NAT rule that works on SecurePlatform NG FP2 (I have tested on a vmware machine, but not on SecurePlatform NG FP3. Security rule is: VPNUsers -> InternalLan->ClientEncript NAT rule is: AnyLan(0.0.0.0)->InternalLan->FW-IP-Internal(hide) If I substitue AnyLan with the public IP of the client all works. What it?s wrong?? Thank you for your help and sorry for my bad english. ___________________________________________________ Yahoo! Sorteos Consulta si tu n?mero ha sido premiado en Yahoo! Sorteos http://loteria.yahoo.es From safieradam at hotmail.com Fri Dec 13 23:57:30 2002 From: safieradam at hotmail.com (safieradam) Date: Fri, 13 Dec 2002 23:57:30 -0500 Subject: [VPN] multiple VPNs *through* checkpoint References: <89680B404BA1DD419E6D93B28B41899BA7F139@01mail.nomadix.com> Message-ID: Now that we have electricity again... one additional suggestion. How about using UDP encapsulation? Adam ----- Original Message ----- From: To: Sent: Tuesday, December 10, 2002 7:56 PM Subject: RE: [VPN] multiple VPNs *through* checkpoint > ESP would work (sort of) if you would use the SPIs as the equivalent > information to ports in TCP/UDP.. Lots of implementations including the > VPN-masquerade in Linux do that.. The VPN-masquerade How-to gives a good > explanation of the concept. Again this is just ESP and that too in tunnel > mode because transport mode IPsec would cause a checksum fail in the > transport layer due to changed addresses.. > > The SPI-tracking solution is not 100% reliable but a workable alternative.. > The equivalent tracking in IKE can be done via the icookie and rcookie in > the IKE payload.. > > -Bik > > > -----Original Message----- > > From: Joshua Vince [mailto:joshv at bcgsys.com] > > Sent: Tuesday, December 10, 2002 11:48 AM > > To: Tina Bird > > Cc: vpn at lists.shmoo.com; gclef at speakeasy.net > > Subject: RE: [VPN] multiple VPNs *through* checkpoint > > > > > > You are correct. I misspoke. AH will NOT work, but ESP will > > with some/most vendor's implementations of one-one NAT. > > > > I was more trying to show why it WOULDN'T work with many-one NAT. > > > > -----Original Message----- > > From: Tina Bird [mailto:tbird at precision-guesswork.com] > > Sent: Tuesday, December 10, 2002 2:43 PM > > To: Joshua Vince > > Cc: vpn at lists.shmoo.com; gclef at speakeasy.net > > Subject: RE: [VPN] multiple VPNs *through* checkpoint > > > > > > On Tue, 10 Dec 2002, Joshua Vince wrote: > > > > > I haven't tried this, but it probably won't work. UPD 500 will pass > > > through many firewall implementations of many-one NAT, but > > IP Protocol > > > > > 50 or 51 (ESP and AH) won't. This is because there is no way to > > > port-map an IP Protocol. It should work with a one-one NAT though. > > > > > no no no -- i need to write a FAQ for this... > > > > AH won't work with NAT because it does per-packet > > authentication. NAT changes the headers in transit so the > > integrity checks fail. > > > > ESP can work in a NAT environment if it is configured to not > > do the per-packet integrity checks. > > > > IKE will only work in a NAT environment if the NAT-ting > > device leaves the source and destination ports alone. dst > > ports are normally left alone, of course. the source ports > > are frequently modified by address translating devices, which > > breaks IKE. > > > > now, all of this was the case up until the time that vendors > > started tunneling IPsec over UDP, to avoid the NAT problems. > > i'm not very up on that technology, and i'm not sure how it > > changes things -- maybe someone on the list who's used it > > could tell us? > > > > > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn > > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From mjjoosten at chello.nl Sun Dec 15 13:59:23 2002 From: mjjoosten at chello.nl (M.J. Joosten) Date: Sun, 15 Dec 2002 19:59:23 +0100 Subject: [VPN] FW: VPN session ok? Message-ID: <000001c2a46c$15395fa0$b401a8c0@KZ> -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: zondag 15 december 2002 19:45 To: M.J. Joosten Subject: Re: VPN session ok? please send to vpn at lists.shmoo.com On Sun, 15 Dec 2002, M.J. Joosten wrote: > Hi Tina, > > I'm a bit lost here. As a newbie on vpn I wanted to try access from my home > network (cablemodem) to our brandnew 3Com Firewall at work (connected to a > DSL modem). For that I used the supplied software Safenet/Soft-PK. So far I > managed to set up a so called 'GroupVPN' connection with it using a > pre-shared key. The logviewer and connection manager show the connection is > made as soon as I open the networking neighbourhood on my W98 laptop. It > also shows a little key with a black dot wich means I am supposed to have a > tunnel connection with encryption (DES and MD5). Even the logfiles on the > 3Com firewall show there is a connection. So far all seems ok. > > But what's next? How do you actually get access to the resources on the > company network? Should it work just like this and may I have some > conflicting settings somewhere or do I have to make a seperate connection > somehow to authenticate myself on the company network? I tried to ping > machines on the company network, creating dial-up adapters using the softpk > as modem, making shares to the NT-server there, traces on machines and so > on. No matter what I try, I can't reach anything on the company network. It > can't be my user rights, as I am the system administrator there and and I am > using the administration accounts to get it working. > > I hope you can give me any suggestions on how to continue, as after messing > around with this for several days already, it's getting a bit of a > frustration now. > > There's a lot of information on loads of websites about the encryption > options and so on, but I can't find a simple explanation anywhere on what I > am supposed to expect from vpn like with working with W98 and NT40 machines. > Not even in the 3Com manual or on their website (by now I read every > available document there!). Maybe it's a suggestion for your website also to > make a little introduction for newbies like me. > > Many thanks in advance. > > Kind regards, > Martin Joosten > The Netherlands > > > > From jlebowitsch at imperito.com Mon Dec 16 20:22:25 2002 From: jlebowitsch at imperito.com (Lebowitsch, Yoni) Date: Mon, 16 Dec 2002 17:22:25 -0800 Subject: [VPN] multiple VPNs *through* checkpoint Message-ID: <54408FC2372FA14F8D8CE09CFF08D2690B727B@mail.imperito.com> My experiences with running IPSec "servers" behind a checkpoint firewall are mixed...there seems to be no problem on NG, but on 4.0 and 4.1, the FW1/VPN1 "hijacks" ike sessions that need to go through it. Specifically, I defined on the checkpoint a static 1-1 NAT for the VPN server behind it. When clients initiated IKE sessions to the address that the ckpnt was supposed to NAT to the VPN server, the Checkpoint would answer the ike requests itself. I saw this weird behaviour on two different setups. Rgrds YL -----Original Message----- From: Watson, Travis [mailto:Travis.Watson at Honeywell.com] Sent: Tuesday, December 10, 2002 10:32 AM To: 'gclef at speakeasy.net' Cc: vpn at shmoo.com Subject: RE: [VPN] multiple VPNs *through* checkpoint Aaron, I've done it through a PIX, but not Checkpoint. The basics are the same, I would imagine though. Just allow for IPSec src and dst from either specific IPs or "any." --Travis -----Original Message----- From: gclef at speakeasy.net [mailto:gclef at speakeasy.net] Sent: Monday, December 09, 2002 1:52 PM To: vpn at shmoo.com Subject: [VPN] multiple VPNs *through* checkpoint So, I've got an interesting question: has anyone tried to pass multiple IPSec VPNs through (ie not terminating at) a Checkpoint Firewall? (especially one that's doing a many-one NAT) I'm wondering how the firewall will handle the need for udp port 500 traffic (inbound through the firewall) to do the VPN keying. Anyone try this yet? Thanks. Aaron _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From john.spanos at adacel.com Mon Dec 16 22:49:05 2002 From: john.spanos at adacel.com (John Spanos) Date: Tue, 17 Dec 2002 14:49:05 +1100 Subject: [VPN] Re: PIX and Split Tunnelling In-Reply-To: Message-ID: Hi Folks, I have a question relating specifically to Cisco PIX and split tunnelling. I have a situation where a lot of our VPN users have a cable connection with the largest national ISP. This ISP however uses a 'heartbeat' technique to monitor all cable connections. What this means is that the machine with the Cable connection sends heartbeat's to the State's Hearbeat Server saying 'I am still here, don't kill or free up my connection'. What I need to do is allow a split tunnel ONLY to a specific machine on a specific port. It appears that I can only send the networks to be protected by IPSec, with all addresses not in this ACL (using permit statements) going out in the clear. I cannot have this as it is against our current security policy. The only workaround I have is to use the old Safe Net Client which pushes policy, unlike the new client which pulls policy from the PIX. I would ideally like to have all users using the latest client for both security and ease of support. If anyone has an alternative solution I'd love to hear from them. Thanks. John Spanos. From jennyw at dangerousideas.com Tue Dec 17 12:55:06 2002 From: jennyw at dangerousideas.com (jennyw) Date: Tue, 17 Dec 2002 09:55:06 -0800 Subject: [VPN] Sonicwall with Mac OS X 10.2 (Jaguar)? Message-ID: <20021217175506.GA5728@dangerousideas.com> Has anyone had any experience getting Mac OS X 10.2 to work with Sonicwall VPN? I've heard of a program called VPN Tracker that will allow Jaguar to connect to Sonicwall VPN, but I'm not sure what the product is actually providing. Apple claims that IPSEC is built into Jaguar, but reading some posts on Usenet and mailing list archives, it seems that, while this is true to a point, IPSEC in Mac OS X 10.2 isn't so complete that it can actually be used by a user. So what's missing? And is there anything out there besides VPN Tracker? Has anyone had any good experiences with that product? VPN Tracker URL: http://www.equinux.com/us/products/vpntracker/ Thanks! Jen From djdawso at qwest.com Tue Dec 17 15:33:27 2002 From: djdawso at qwest.com (Dana J. Dawson) Date: Tue, 17 Dec 2002 14:33:27 -0600 Subject: [VPN] Sonicwall with Mac OS X 10.2 (Jaguar)? References: <20021217175506.GA5728@dangerousideas.com> Message-ID: <3DFF8A17.9060301@qwest.com> Try this URL - it sounds like it's exactly what you're looking for: http://www.afp548.com/software/VaporSec/ Good luck! Dana jennyw wrote: > Has anyone had any experience getting Mac OS X 10.2 to work with Sonicwall VPN? > I've heard of a program called VPN Tracker that will allow Jaguar to connect to > Sonicwall VPN, but I'm not sure what the product is actually providing. Apple > claims that IPSEC is built into Jaguar, but reading some posts on Usenet and > mailing list archives, it seems that, while this is true to a point, IPSEC in Mac > OS X 10.2 isn't so complete that it can actually be used by a user. So what's > missing? And is there anything out there besides VPN Tracker? Has anyone had any > good experiences with that product? > > VPN Tracker URL: http://www.equinux.com/us/products/vpntracker/ > > Thanks! > > Jen > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Communications (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." From kathys at imperito.com Tue Dec 17 16:38:22 2002 From: kathys at imperito.com (Stahlman, Kathy) Date: Tue, 17 Dec 2002 13:38:22 -0800 Subject: [VPN] Download enterprise access VPN software - FREE 12-month trial of Imperito SafeSecure Access Site 4.2 Message-ID: <54408FC2372FA14F8D8CE09CFF08D26905E0B7@mail.imperito.com> We would like to make the URL available to download Imperito's free enterprise access control VPN software. Tina Bird recommended that I email the URL and information to this address. Below is the URL, along with product information describing the freeware. Imperito today announced the availability of SafeSecure Access Site 4.2, expanding security and access control for corporate networks. A limited user version of SafeSecure Access Site 4.2 is available for a FREE twelve-month trial offer and can be downloaded at: www.imperito.com/accessdemo For medium-sized enterprises with up to 500 concurrent users, SafeSecure Access Site 4.2 offers significantly better ease-of-use than similar solutions and uniquely includes centralized management. Mobile workers can now securely use devices equipped with a GPRS or 1XRTT modem, or with WiFi to seamlessly wander from Wireless Local Area Networks (WLAN) and fixed LANs to Wide Area Networks (WAN) using one VPN client with the same set of authentication credentials. SafeSecure Access Site 4.2 supports Microsoft Pocket PC 2000, 2002 and Windows 98, SE, ME, 2000 and XP. Thanks in advance. -Kathy Stahlman Kathy Stahlman (650) 212-8351 Public Relations Manager -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20021217/c44cdad6/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: logo_tag.gif Type: image/gif Size: 4156 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20021217/c44cdad6/attachment.gif From davepier at bigpond.com Wed Dec 18 07:53:43 2002 From: davepier at bigpond.com (David Pierson) Date: Wed, 18 Dec 2002 22:53:43 +1000 Subject: [VPN] FW: VPN session ok? References: <000001c2a46c$15395fa0$b401a8c0@KZ> Message-ID: <00af01c2a694$7f9a8980$07dea8c0@harrypie> Can't see that anyone has tackled this. Nothing seems to work over the connection? Do you have a different sub-net at home versus work? If they are the same (eg both 10.0.0) it won't work. Let us know. Regards David Pierson Brisbane ----- Original Message ----- From: "M.J. Joosten" To: Sent: Monday, December 16, 2002 4:59 AM Subject: [VPN] FW: VPN session ok? > > > -----Original Message----- > From: Tina Bird [mailto:tbird at precision-guesswork.com] > Sent: zondag 15 december 2002 19:45 > To: M.J. Joosten > Subject: Re: VPN session ok? > > > please send to vpn at lists.shmoo.com > > On Sun, 15 Dec 2002, M.J. Joosten wrote: > > > Hi Tina, > > > > I'm a bit lost here. As a newbie on vpn I wanted to try access from my > home > > network (cablemodem) to our brandnew 3Com Firewall at work (connected to a > > DSL modem). For that I used the supplied software Safenet/Soft-PK. So far > I > > managed to set up a so called 'GroupVPN' connection with it using a > > pre-shared key. The logviewer and connection manager show the connection > is > > made as soon as I open the networking neighbourhood on my W98 laptop. It > > also shows a little key with a black dot wich means I am supposed to have > a > > tunnel connection with encryption (DES and MD5). Even the logfiles on the > > 3Com firewall show there is a connection. So far all seems ok. > > > > But what's next? How do you actually get access to the resources on the > > company network? Should it work just like this and may I have some > > conflicting settings somewhere or do I have to make a seperate connection > > somehow to authenticate myself on the company network? I tried to ping > > machines on the company network, creating dial-up adapters using the > softpk > > as modem, making shares to the NT-server there, traces on machines and so > > on. No matter what I try, I can't reach anything on the company network. > It > > can't be my user rights, as I am the system administrator there and and I > am > > using the administration accounts to get it working. > > > > I hope you can give me any suggestions on how to continue, as after > messing > > around with this for several days already, it's getting a bit of a > > frustration now. > > > > There's a lot of information on loads of websites about the encryption > > options and so on, but I can't find a simple explanation anywhere on what > I > > am supposed to expect from vpn like with working with W98 and NT40 > machines. > > Not even in the 3Com manual or on their website (by now I read every > > available document there!). Maybe it's a suggestion for your website also > to > > make a little introduction for newbies like me. > > > > Many thanks in advance. > > > > Kind regards, > > Martin Joosten > > The Netherlands > > > > > > > > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From john at dndlabs.net Wed Dec 18 16:37:58 2002 From: john at dndlabs.net (john at dndlabs.net) Date: Wed, 18 Dec 2002 16:37:58 -0500 Subject: [VPN] Re: PIX and Split Tunnelling References: Message-ID: <003501c2a6dd$bcba3ba0$1f5d6e82@USABBRDUL05464> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not 100% sure about the options for VPN client on the PIX, but on our CSVPN 3030 concentrator I can create a network list and then for a specific group force everything across the tunnel and also allow connectivity to this network list outside of the tunnel. Of course this is the definition of split-tunneling. In this case the network list would be a single address such 192.168.1.10/0.0.0.0 (wildcard masking used on concentrators) and that would be the ISP's address that sends the heartbeat packets. Although I don't think you can specify a port with this network list. I'm not sure if these options are equally available when configuring the PIX for VPN clients. Sorry if I've restated things U already know. Cisco has documented this with BugID# : CSCdx04842. They state split-tunneling is the only solution to this problem. - -John - ----- Original Message ----- From: "John Spanos" To: Sent: Monday, December 16, 2002 10:49 PM Subject: [VPN] Re: PIX and Split Tunnelling > Hi Folks, > I have a question relating specifically to Cisco PIX and > split tunnelling. I have a situation where a lot of our VPN users > have a cable connection with the largest national ISP. This ISP > however uses a 'heartbeat' technique to monitor all cable > connections. What this means is that the machine with the Cable > connection sends heartbeat's to the State's Hearbeat Server saying > 'I am still here, don't kill or free up my > connection'. > > What I need to do is allow a split tunnel ONLY to a specific > machine on a specific port. It appears that I can only send the > networks to be protected by IPSec, with all addresses not in this > ACL (using permit statements) going out in the clear. I cannot > have this as it is against our current security policy. The only > workaround I have is to use the old Safe Net Client which pushes > policy, unlike the new client which pulls policy from the PIX. I > would ideally like to have all users using the latest client for > both security and ease of support. If anyone has an alternative > solution I'd love to hear from them. > > Thanks. > > John Spanos. > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBPgDqs0lX08b6bPOuEQK13gCfV8EQzxdzuMpJQX8wwM1M0jmnqnAAoKli 5cdRQKNagxYb1l2/LgqPUEFY =tUza -----END PGP SIGNATURE----- From satishk at now-india.com Fri Dec 20 05:53:15 2002 From: satishk at now-india.com (Satish Kumar Kejriwal) Date: Fri, 20 Dec 2002 16:23:15 +0530 Subject: [VPN] comparison between IPSEC and MPLS References: Message-ID: <002e01c2a815$ffb33770$1e04a8c0@da1.nowindia.com> Request to send me a comparision between IPSEC and MPLS , if any of you has it. Thanks From stefan.pantke at epost.de Fri Dec 20 13:30:42 2002 From: stefan.pantke at epost.de (Stefan Pantke) Date: Fri, 20 Dec 2002 19:30:42 +0100 Subject: [VPN] Free windows VPN Software Message-ID: <013901c2a855$e7d074c0$0201a8c0@vaiop4> Hi, I'm in search of a free windows VPN software. Do you know of any product? ____ Viele Gr??e aus Kiel Stefan Pantke Nicht vergessen: die Wahrheit ist irgendwo da draussen. From ILazar at burtongroup.com Fri Dec 20 15:16:35 2002 From: ILazar at burtongroup.com (Irwin Lazar) Date: Fri, 20 Dec 2002 13:16:35 -0700 Subject: [VPN] comparison between IPSEC and MPLS Message-ID: <53BBA8839E91D51194D200902728944E01D2EA3D@bgslc03.burtongroup.com> see www.mplsrc.com ------ Irwin Lazar Practice Manager, Burton Group www.burtongroup.com ilazar at burtongroup.com Office: 703-742-9659 Cell: 703-402-4119 "DrivingNetworkEvolution" -----Original Message----- From: Satish Kumar Kejriwal [mailto:satishk at now-india.com] Sent: Friday, December 20, 2002 5:53 AM To: Daryl_Fallin at NAI.com; scottn at s2s.ltd.uk; dgillett at deepforest.org; vpn at lists.shmoo.com Subject: [VPN] comparison between IPSEC and MPLS Request to send me a comparision between IPSEC and MPLS , if any of you has it. Thanks _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From Fred.Chatterton at state.mn.us Fri Dec 20 15:38:13 2002 From: Fred.Chatterton at state.mn.us (Fred Chatterton) Date: Fri, 20 Dec 2002 14:38:13 -0600 Subject: [VPN] Pilot Project & ZAPID Message-ID: The VPN Pilot is over, a 'Weekly Briefing' announcement is due out soon. Those who have expressed an interest in continued use of the VPN have converted to using NDS login names. I'll be disabling the pilot group & usernames on Monday. There's still time to convert but if you don't express an interest by the end of the year I'll assume you're no longer interested in VPN access. Whether you continue or not, I thank you for your participation. Because of your input (and in some cases your patience) I'm confident we have a stable and secure VPN infrastructure. A special thanks to the following 'Frequent Flyers', some for their unique insight and others for their special problems. El LaGrew Gerry Skerbitz Kyle Johnson Paul Rem Sally Bushhouse Tom Heinbaugh Jim Roberts Notice to Windows users: I've had problems with the lic. key for ZAPID. The automated install doesn't work and in some cases cut & paste fails too. To verify that your key has installed properly go to Overview|Product Info. If the Licensing Info 'is a full license' its ok. If the Licensing Info 'is a trial' email me for a new key. Thanks Again, Fred Fred Chatterton Information Security Minnesota Dept of Health Phone: 651.215.8798 Alpha Pager: fredc at airmessage.net http://www.health.state.mn.us From listuser at myrealbox.com Mon Dec 23 06:36:07 2002 From: listuser at myrealbox.com (listuser) Date: Mon, 23 Dec 2002 17:26:07 +0550 Subject: [VPN] VPN and UDP Broadcast Message-ID: <1040644567.94359a20listuser@myrealbox.com> Hello all, I am doing a VPN for a stock exchange. They have a stock ticker system that send the stocks as udp broadcast. Till now they were having a closed network, now they want to give access to clients on the internet. + clients quotes server -- vpn gateway -- clients + clients vpn gateway has interfces in the internal ip of the exchange aswell as in public net. I have build a tunnel from clients network to the exchange pvt network, and for clients I have given proper routing in the the pvt network. to cut it short, I can log on from the ticker program in the clients to the stock exchange server. But I am not able to receive the stock broadcast in the tunneled network. the vpn server is linux freeswan with X.509 patches, clients are Windows 2000 connected using the native ipsec of windoes. Is their any way to send the UDP Broadcast also across the tunnel? Please let me know if any more network information is required. TIA raj From bet at rahul.net Mon Dec 23 16:18:51 2002 From: bet at rahul.net (Bennett Todd) Date: Mon, 23 Dec 2002 16:18:51 -0500 Subject: [VPN] comparison between IPSEC and MPLS In-Reply-To: <002e01c2a815$ffb33770$1e04a8c0@da1.nowindia.com> References: <002e01c2a815$ffb33770$1e04a8c0@da1.nowindia.com> Message-ID: <20021223211851.GM23846@rahul.net> 2002-12-20T05:53:15 Satish Kumar Kejriwal: > Request to send me a comparision between IPSEC and MPLS, if any > of you has it. I think the attached, from the archives of this list, are quite good. In short: there's some limited overlap between MPLS and IPSec, but their security models are so different that it's really apples and oranges. Some applications would be better served with MPLS, some with IPSec, and some with both --- IPSec being transported with MPLS. MPLS is secure just to the degree that all of the transit path is secure; MPLS helps nail that transit path down. IPSec uses encryption to be secure in the face of an untrusted transit path -Bennett -------------- next part -------------- An embedded message was scrubbed... From: "Kent Dallas" Subject: RE: [vpn] VPN security : MPLS vs IPSec Date: Tue, 23 Jul 2002 11:52:22 -0400 Size: 4471 Url: http://lists.shmoo.com/pipermail/vpn/attachments/20021223/9c9f0687/attachment.eml -------------- next part -------------- An embedded message was scrubbed... From: "Kent Dallas" Subject: RE: [vpn] VPN security : MPLS vs IPSec Date: Tue, 23 Jul 2002 23:30:20 -0400 Size: 5014 Url: http://lists.shmoo.com/pipermail/vpn/attachments/20021223/9c9f0687/attachment-0001.eml -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20021223/9c9f0687/attachment.pgp From support at tradescan.cc Tue Dec 24 10:53:14 2002 From: support at tradescan.cc (support at tradescan.cc) Date: Tue, 24 Dec 2002 09:53:14 -0600 Subject: [VPN] VPN and UDP Broadcast In-Reply-To: <1040644567.94359a20listuser@myrealbox.com> Message-ID: The only way I know of to forward broadcast across a VPN is to find a router (a Cisco 2500 series will do) that gives you "ip-helper" functionality. Basically it converts the broadcast packets into unicast packets and forwards them on to the address(s) you configure in the router. Hope that helps. John Guynn System Administrator support at tradersparadise.com -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com]On Behalf Of listuser Sent: Monday, December 23, 2002 5:36 AM To: vpn at lists.shmoo.com Subject: [VPN] VPN and UDP Broadcast Hello all, [snip] Is their any way to send the UDP Broadcast also across the tunnel? Please let me know if any more network information is required. TIA raj From bill.luckett at ptk.org Mon Dec 30 09:17:01 2002 From: bill.luckett at ptk.org (Bill Luckett) Date: Mon, 30 Dec 2002 08:17:01 -0600 Subject: [VPN] problems with frees/wan users list? Message-ID: <3.0.1.32.20021230081701.014095a0@mail.ptk.org> Hi all, I know this may be off topic but does anyone know what's up with the freeswan users list? The web subscription interface seems to be broken and all my attempts to subscribe via mail are unsuccessfull tho' I think I'm sending the right commands. Thanks At 12:00 PM 12/25/2002 +0000, you wrote: >Send VPN mailing list submissions to > vpn at lists.shmoo.com > >To subscribe or unsubscribe via the World Wide Web, visit > http://lists.shmoo.com/mailman/listinfo/vpn >or, via email, send a message with subject or body 'help' to > vpn-request at lists.shmoo.com > >You can reach the person managing the list at > vpn-admin at lists.shmoo.com > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of VPN digest..." > > >Today's Topics: > > 1. VPN and UDP Broadcast (listuser) > 2. Re: comparison between IPSEC and MPLS (Bennett Todd) > >--__--__-- > >Message: 1 >Reply-To: Rajkumar S >From: "listuser" >To: vpn at lists.shmoo.com >Date: Mon, 23 Dec 2002 17:26:07 +0550 >Subject: [VPN] VPN and UDP Broadcast > >Hello all, > >I am doing a VPN for a stock exchange. They have a stock ticker system tha= >t send the stocks as udp broadcast. Till now they were having a closed ne= >twork, now they want to give access to clients on the internet.=20 > > > + clients =20 >quotes server -- vpn gateway -- clients=20 > + clients > >vpn gateway has interfces in the internal ip of the exchange aswell as in p= >ublic net. I have build a tunnel from clients network to the exchange pvt= > network, and for clients I have given proper routing in the the pvt netw= >ork. to cut it short, I can log on from the ticker program in the client= >s to the stock exchange server. But I am not able to receive the stock br= >oadcast in the tunneled network.=20 > >the vpn server is linux freeswan with X.509 patches, clients are Windows 20= >00 connected using the native ipsec of windoes.=20 > >Is their any way to send the UDP Broadcast also across the tunnel? Please l= >et me know if any more network information is required. > >TIA > >raj > > > >--__--__-- > >Message: 2 >Date: Mon, 23 Dec 2002 16:18:51 -0500 >From: Bennett Todd >To: Satish Kumar Kejriwal >Cc: Daryl_Fallin at NAI.com, scottn at s2s.ltd.uk, dgillett at deepforest.org, > vpn at lists.shmoo.com >Subject: Re: [VPN] comparison between IPSEC and MPLS > > >--vEfizQhTV1P/vojJ >Content-Type: multipart/mixed; boundary="nRwNdQxTdQ7rZk9A" >Content-Disposition: inline > > >--nRwNdQxTdQ7rZk9A >Content-Type: text/plain; charset=us-ascii >Content-Disposition: inline > >2002-12-20T05:53:15 Satish Kumar Kejriwal: >> Request to send me a comparision between IPSEC and MPLS, if any >> of you has it. > >I think the attached, from the archives of this list, are quite good. > >In short: there's some limited overlap between MPLS and IPSec, but >their security models are so different that it's really apples and >oranges. Some applications would be better served with MPLS, some >with IPSec, and some with both --- IPSec being transported with >MPLS. MPLS is secure just to the degree that all of the transit >path is secure; MPLS helps nail that transit path down. IPSec uses >encryption to be secure in the face of an untrusted transit path > >-Bennett > >--nRwNdQxTdQ7rZk9A >Content-Type: message/rfc822 >Content-Disposition: inline > >Return-Path: >Delivered-To: bet at latency.net >Received: from helium.nac.net (helium.nac.net [64.21.52.67]) > by og.latency.net (Postfix) with SMTP id 8012C13FC4A > for ; Tue, 23 Jul 2002 12:17:09 -0400 (EDT) >Received: (qmail 13674 invoked by uid 103); 23 Jul 2002 16:17:09 -0000 >Received: from vpn-return-1182-bet=mordor.net at securityfocus.com by helium.nac.net by uid 0 with qmail-scanner-1.12 (uvscan: v4.1.60/v4205. spamassassin: 2.20. . Clear:SA:0(-4.4/5.0):. Processed in 1.235129 secs); 23 Jul 2002 16:17:09 -0000 >X-Spam-Status: No, hits=-4.4 required=5.0 >X-Qmail-Scanner-Mail-From: vpn-return-1182-bet=mordor.net at securityfocus.com via helium.nac.net >X-Qmail-Scanner: 1.12 (Clear:SA:0(-4.4/5.0):. Processed in 1.235129 secs) >Received: from newritz.mordor.net (165.254.98.10) > by spam-virus-killer.smtp.nac.net with SMTP; 23 Jul 2002 16:17:07 -0000 >Received: by newritz.mordor.net (Postfix) > id D0FC847E21; Tue, 23 Jul 2002 12:19:21 -0400 (EDT) >Delivered-To: bet at mordor.net >Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27]) > by newritz.mordor.net (Postfix) with ESMTP id 42A5747E20 > for ; Tue, 23 Jul 2002 12:19:19 -0400 (EDT) >Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id 476FBA311A; Tue, 23 Jul 2002 09:45:37 -0600 (MDT) >Mailing-List: contact vpn-help at securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list vpn at securityfocus.com >Delivered-To: moderator for vpn at securityfocus.com >Received: (qmail 4332 invoked from network); 23 Jul 2002 15:41:45 -0000 >Reply-To: >From: "Kent Dallas" >To: "Raymakers, Guy" , >Date: Tue, 23 Jul 2002 11:52:22 -0400 >Message-ID: >MIME-Version: 1.0 >Content-Type: text/plain; > charset="iso-8859-1" >Content-Transfer-Encoding: 7bit >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) >Importance: Normal >In-Reply-To: >X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 >Subject: RE: [vpn] VPN security : MPLS vs IPSec > >Guy, > >Here are a few quick thoughts. > >Use MPLS when: >* You control (policy and device) on both ends of the connection >* Geographic coverage and logistics allow for single service provider >* QoS is particularly important to the application(s) >* No remote access requirements anticipated >* Strict security is not required (you trust the service provider enough to >be able to see the data, and can withstand the risk of the service provider >making a configuration mistake that exposes your data to a third party) >* Configuration changes only as quick as the responsiveness of the service >provider is acceptable >* Performance is more important than price > >And so the antithesis, use IPsec-based VPNs when: >* You may need to include "extranet" sites or users (of which you don't have >the control to select the policy or device) >* Geographic coverage required exceeds that of your preferred provider >* QoS is not particularly important >* Remote access is a likely requirement >* Security is critical >* Configuration changes must happen quickly, and need to be within your >control >* Price is more important than performance > >And use both, only when the vast majority of your requirements fall within >the MPLS list, but some of the IPsec requirements must also be supported in >a limited manner. > >Just my opinion, and you know what they say about those... > >Kent Dallas > >-----Original Message----- >From: Raymakers, Guy [mailto:guy.raymakers at eds.com] >Sent: Tuesday, July 23, 2002 2:48 AM >To: vpn at securityfocus.com >Subject: [vpn] VPN security : MPLS vs IPSec > > >Hi All, > >I've one basic question regarding MPLS and IPSEC Based VPN's. When should >MPLS be used and are there security aspects with MPLS that still would >require IPSec to run over MPLS to get a real secure network ? > >Thanks, > Guy > >VPN is sponsored by SecurityFocus.com > > >VPN is sponsored by SecurityFocus.com > > >--nRwNdQxTdQ7rZk9A >Content-Type: message/rfc822 >Content-Disposition: inline > >Return-Path: >Delivered-To: bet at latency.net >Received: from helium.nac.net (helium.nac.net [64.21.52.67]) > by og.latency.net (Postfix) with SMTP id 6D64913FBCF > for ; Tue, 23 Jul 2002 23:34:04 -0400 (EDT) >Received: (qmail 57711 invoked by uid 103); 24 Jul 2002 03:34:04 -0000 >Received: from vpn-return-1184-bet=mordor.net at securityfocus.com by helium.nac.net by uid 0 with qmail-scanner-1.12 (uvscan: v4.1.60/v4205. spamassassin: 2.20. . Clear:SA:0(-4.4/5.0):. Processed in 1.449196 secs); 24 Jul 2002 03:34:04 -0000 >X-Spam-Status: No, hits=-4.4 required=5.0 >X-Qmail-Scanner-Mail-From: vpn-return-1184-bet=mordor.net at securityfocus.com via helium.nac.net >X-Qmail-Scanner: 1.12 (Clear:SA:0(-4.4/5.0):. Processed in 1.449196 secs) >Received: from newritz.mordor.net (165.254.98.10) > by spam-virus-killer.smtp.nac.net with SMTP; 24 Jul 2002 03:34:02 -0000 >Received: by newritz.mordor.net (Postfix) > id 873FC47E26; Tue, 23 Jul 2002 23:36:16 -0400 (EDT) >Delivered-To: bet at mordor.net >Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27]) > by newritz.mordor.net (Postfix) with ESMTP id 4294E47E20 > for ; Tue, 23 Jul 2002 23:36:16 -0400 (EDT) >Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id E4536A30CB; Tue, 23 Jul 2002 21:30:09 -0600 (MDT) >Mailing-List: contact vpn-help at securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list vpn at securityfocus.com >Delivered-To: moderator for vpn at securityfocus.com >Received: (qmail 11626 invoked from network); 24 Jul 2002 03:19:38 -0000 >Reply-To: >From: "Kent Dallas" >To: "Natasha Smith" , >Date: Tue, 23 Jul 2002 23:30:20 -0400 >Message-ID: >MIME-Version: 1.0 >Content-Type: text/plain; > charset="us-ascii" >Content-Transfer-Encoding: 7bit >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) >In-Reply-To: <5.1.0.14.2.20020723174829.04096220 at mail.espace.net> >Importance: Normal >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 >Subject: RE: [vpn] VPN security : MPLS vs IPSec > >Natasha, > >Thanks for the link. I hadn't seen that document yet, and it covers ground I >have trod over many times in the past. > >However, I wouldn't go so far as to say that MPLS provides no security, or >even no privacy. The VPNC document, in attempting to establish common >terminology (an excellent objective, IMO), does a bit of disservice to a >"trusted VPN" by implying that it has no security properties whatsoever. It >further muddles the issue by suggesting somehow that encryption equals >security. It does not. Security is a much more complicated concept (just >read the referenced RFCs for "secure VPNs"). > >MPLS certainly has better security properties versus cleartext over the >general Internet. Simply limiting the implementation to a single service >provider (or even a confederation of service providers) prevents my ability >to snoop on or attack them from my home cable modem. > >Both MPLS and IPsec VPNs have certain sets of security properties. While >IPsec offers much more stringent security, that doesn't mean that MPLS has >no security. MPLS achieves privacy through access control, while IPsec >relies on authenticated encryption. > >If you believe that your telephone calls across the public switched network >are private, you have to allow that communication across MPLS is even more >private. And IPsec goes well beyond that. > >A much more in-depth and even handed treatment can be found in this >document, for those REALLY interested in the topic. > >http://www.employees.org/~ferguson/vpn.pdf > >Kent Dallas > > > >-----Original Message----- >From: Natasha Smith [mailto:natasha at espace.net] >Sent: Tuesday, July 23, 2002 8:51 PM >To: vpn at securityfocus.com >Subject: Re: [vpn] VPN security : MPLS vs IPSec > > >MPLS provides private virtual circuits, no security, no "privacy" >in the security sense. IPsec provides privacy and authentication. > >Some MPLS vendors are, ahem, less than reputable in explaining this. > >See for a good discussion. > >At 07:47 AM 7/23/02 +0100, Raymakers, Guy wrote: >>Hi All, >> >>I've one basic question regarding MPLS and IPSEC Based VPN's. When should >>MPLS be used and are there security aspects with MPLS that still would >>require IPSec to run over MPLS to get a real secure network ? >> >>Thanks, >> Guy >> >>VPN is sponsored by SecurityFocus.com > > >VPN is sponsored by SecurityFocus.com > > >VPN is sponsored by SecurityFocus.com > > >--nRwNdQxTdQ7rZk9A-- > >--vEfizQhTV1P/vojJ >Content-Type: application/pgp-signature >Content-Disposition: inline > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.7 (GNU/Linux) > >iD8DBQE+B327HZWg9mCTffwRApESAJ9/RIZIa+cDgqYl5Cy1fjP1Ysk1cgCfTwm7 >+5JjTmOrAfF6MGmtUycCj0Y= >=Qrbz >-----END PGP SIGNATURE----- > >--vEfizQhTV1P/vojJ-- > > >--__--__-- > >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn > > >End of VPN Digest > > ******************************************* Bill Luckett Director of Information Systems Phi Theta Kappa International Honor Society 1625 Eastover Dr. Jackson, MS 39211 bill.luckett at ptk.org Ph : 601-984-3559 Fax: 601-984-3506 ******************************************* From bogdanid at xnet.ro Wed Dec 4 02:50:56 2002 From: bogdanid at xnet.ro (Bogdan Dumitrache) Date: Wed, 4 Dec 2002 09:50:56 +0200 Subject: [VPN] Allied Telesyn AR410 Message-ID: <000e01c29b69$e3202040$1e01a8c0@dtp2> I have one of these routers and I have a problem with it: while I'm issuing: add gre tunnel remote=n.n.n.n key= it says that gre is missing a parameter. I have checked the manual and the syntax is this: add gre tunnel remote= [key=] , so no problem here. Have anyone else encountered this problem? 10ks a lot -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20021204/6518e465/attachment.htm From bogdanid at xnet.ro Wed Dec 4 10:29:55 2002 From: bogdanid at xnet.ro (Bogdan Dumitrache) Date: Wed, 4 Dec 2002 17:29:55 +0200 Subject: [VPN] Gre tunnel on AR400 and 300 series Message-ID: <00a601c29baa$02d9a9c0$1e01a8c0@dtp2> I'm trying to configure an Allied Telesyn router: AR320. I issue add gre tunnel remote= key= and I think it mistakes it for the add gre identity command, because I get the following error: value missing on parameter gre Do you have any ideas? 10ks, list :) ------------------------------------------------------- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. From bogdanid at xnet.ro Sat Dec 7 10:20:22 2002 From: bogdanid at xnet.ro (Bogdan Dumitrache) Date: Sat, 7 Dec 2002 17:20:22 +0200 Subject: [VPN] Gre tunnel on AR400 and 300 series References: <00a601c29baa$02d9a9c0$1e01a8c0@dtp2> <009201c2ce89$661ccc80$0302a8c0@karavelov> Message-ID: <009201c29e04$374b1340$1e01a8c0@sbnl.com> They use the 2.4.1 release ----- Original Message ----- From: "Vladimir Karavelov" To: "Bogdan Dumitrache" Sent: Friday, February 07, 2003 11:15 AM Subject: Re: [VPN] Gre tunnel on AR400 and 300 series > Dear Bogdan, > Please tell me which version of ATI IOS you are using. > > Regards > Vladou > ----- Original Message ----- > From: "Bogdan Dumitrache" > To: > Sent: Wednesday, December 04, 2002 5:29 PM > Subject: [VPN] Gre tunnel on AR400 and 300 series > > > > I'm trying to configure an Allied Telesyn router: AR320. > > I issue add gre tunnel remote= key= and I think it mistakes it > for > > the add gre identity command, because I get the following error: > > value missing on parameter gre > > > > Do you have any ideas? > > > > 10ks, list :) > > > > > > ------------------------------------------------------- > > Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV > AntiVirus. > > Xnet automatically scans all messages for viruses using RAV AntiVirus. > > > > Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate > variantele lor. > > Va rugam sa luati in considerare ca exista un risc de fiecare data cand > deschideti > > fisiere atasate si ca MobiFon nu este responsabila pentru nici un > prejudiciu cauzat > > de virusi. > > > > Disclaimer: RAV AntiVirus may not be able to detect all new viruses and > variants. > > Please be aware that there is a risk involved whenever opening e-mail > attachments > > to your computer and that MobiFon is not responsible for any damages > caused by > > viruses. > > > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn > > > > > ------------------------------------------------------- > Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. > Xnet automatically scans all messages for viruses using RAV AntiVirus. > > Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. > Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti > fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat > de virusi. > > Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. > Please be aware that there is a risk involved whenever opening e-mail attachments > to your computer and that MobiFon is not responsible for any damages caused by > viruses. > > ------------------------------------------------------- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses.