From jean-philippe.planquart at wanadoo.fr Tue Jan 1 16:56:41 2002 From: jean-philippe.planquart at wanadoo.fr (jean-philippe.planquart at wanadoo.fr) Date: 1 Jan 2002 21:56:41 -0000 Subject: [vpn] authentication with vpn Message-ID: <20020101215641.8970.qmail@mail.securityfocus.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20020101/3ef18b6b/attachment.txt From bugtraq at seifried.org Tue Jan 1 19:57:28 2002 From: bugtraq at seifried.org (Kurt Seifried) Date: Tue, 1 Jan 2002 17:57:28 -0700 Subject: [vpn] authentication with vpn References: <20020101215641.8970.qmail@mail.securityfocus.com> Message-ID: <001101c19328$7368afa0$6400030a@seifried.org> Let the user set their password for the VPN. Of course then if the ISP is compromised you got problems. An alternative is to use biometrics or tokens. Kurt Seifried, kurt at seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/ ----- Original Message ----- From: To: Sent: Tuesday, January 01, 2002 2:56 PM Subject: [vpn] authentication with vpn > > > > I want to deploy vpn service for home users to access to intranet network. > > Users will first connect through an ISP service, and then to an authentication server to > access to my intranet. With this solution, users must authenticate twice : > - first to the ISP to authorize access to Internet > - Second, to the authentication Gateway to authorize access to the Intranet. > > Then, after authentication, we build vpn between home user and the Gateway. With this > solution, people have to learn 2 passwords ( for ISP and for my Gateway ). > Has any body a solution to enter only one password ? > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From danx at geac.com Tue Jan 1 23:23:44 2002 From: danx at geac.com (Dan McGinn-Combs) Date: Tue, 1 Jan 2002 23:23:44 -0500 Subject: [vpn] authentication with vpn Message-ID: <67E150D4D792D411A7B900D0B74D55A204DD12D2@atlexg02.gama.us.geac.com> As a connectivity feature, it's a wonderful benefit to the user to provide a single sign-on service. However, It is quite likely to be a security loser. As I read this, your passwords are your only method for ensuring that your networks aren't hacked. As inconvenient as it is, using this scheme is much more secure than what you're asking for. However, if you really want it, Cable & Wireless otters secure dial. This might meet your needs. Dan ----Original Message----- >From: "jean-philippe.planquart at wanadoo.fr" >To: "vpn at securityfocus.com" >Cc: >Bcc: >Subj: [vpn] authentication with vpn >Type: IPM.Note >Sent: Tuesday, January 01, 2002 7:20 PM > > > > >I want to deploy vpn service for home users to access to intranet network. > >Users will first connect through an ISP service, and then to an authentication server to >access to my intranet. With this solution, users must authenticate twice : >- first to the ISP to authorize access to Internet >- Second, to the authentication Gateway to authorize access to the Intranet. > >Then, after authentication, we build vpn between home user and the Gateway. With this >solution, people have to learn 2 passwords ( for ISP and for my Gateway ). >Has any body a solution to enter only one password ? > > >VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From dgillett at deepforest.org Tue Jan 1 21:42:05 2002 From: dgillett at deepforest.org (dgillett at deepforest.org) Date: Tue, 1 Jan 2002 18:42:05 -0800 Subject: [vpn] authentication with vpn In-Reply-To: <20020101215641.8970.qmail@mail.securityfocus.com> Message-ID: <3C3202FD.14514.687CD451@localhost> On 1 Jan 2002, at 21:56, jean-philippe.planquart at wanad wrote: > I want to deploy vpn service for home users to access to intranet > network. > > Users will first connect through an ISP service, and then to an > authentication server to access to my intranet. With this > solution, users must authenticate twice : > - first to the ISP to authorize access to Internet > - Second, to the authentication Gateway to authorize access to the > Intranet. > > Then, after authentication, we build vpn between home user and the > Gateway. With this solution, people have to learn 2 passwords ( > for ISP and for my Gateway ). Has any body a solution to enter only > one password ? The two different authentications are to obtain access to resources that are part of two different security domains. Combining them, even if feasible, would be unwise. As far as I can see, you have two choices: 1. Accept *anyone* connecting via that ISP, even if they're not one of your users. 2. BECOME your own ISP -- run your own modem banks, with POPs in major cities to save on long distance phone charges.... Wait, wasn't the point of providing a VPN to get OUT of this business? On the other hand, users may be able to save their ISP password, so although their machine must authenticate multiple times, not all require the *user* to authenticate. So the current situation need not be unaccptably tedious. Dave Gillett VPN is sponsored by SecurityFocus.com From jmuniz at loudcloud.com Wed Jan 2 18:16:11 2002 From: jmuniz at loudcloud.com (Jose Muniz) Date: Wed, 02 Jan 2002 15:16:11 -0800 Subject: [vpn] authentication with vpn References: <20020101215641.8970.qmail@mail.securityfocus.com> Message-ID: <3C3394BB.E17FD8CB@loudcloud.com> Hello Jean, First you have to forget about the ISP authentication if you do not manage it then you basically can not trust it,. so get that thought out of your mind. You can use a VPN like Netscreeen for example, and also provide authentication after decryption, so that you can actually interrogate the users for auth. You can have them auth against an LDAP or Radius server for example. Jose. jean-philippe.planquart at wanadoo.fr wrote: > I want to deploy vpn service for home users to access to intranet network. > > Users will first connect through an ISP service, and then to an authentication server to > access to my intranet. With this solution, users must authenticate twice : > - first to the ISP to authorize access to Internet > - Second, to the authentication Gateway to authorize access to the Intranet. > > Then, after authentication, we build vpn between home user and the Gateway. With this > solution, people have to learn 2 passwords ( for ISP and for my Gateway ). > Has any body a solution to enter only one password ? > > VPN is sponsored by SecurityFocus.com -- Jose Muniz Network Engineering Loudcloud, Inc. (408)744-7583 Direct page-jmuniz at loudcloud.com ------------------------- http://www.loudcloud.com VPN is sponsored by SecurityFocus.com From kpasley6 at home.com Wed Jan 2 21:24:44 2002 From: kpasley6 at home.com (Keith Pasley, CISSP) Date: Wed, 2 Jan 2002 21:24:44 -0500 Subject: Fw: [vpn] authentication with vpn Message-ID: <00c901c193fd$d062f640$6401a8c0@CP531435A> Jean-Philipe, Thought I would forward my reply to the list for comment/review, as well. In agreement with the security risks mentioned in the previous replies from the list, it sounds like you will have to somehow manage have usability/security trade-off issue in what ever solution you decide to use. Keith > Fundamentally, this would involve interoperability between the home user > ISP auth system and your gateway authentication system. > > Have you discussed whether it is possible to synchronize the ISP > authentication data with the your gateway authentication data for the home > users, say with a token-based 2- factor authentication like Secure ID/PassGo > or even password -based RADIUS? This is assuming the home users are on the > same dial-up ISP. > > The concept is: The users would authenticate to the dial-up ISP , if user > passes the ISP's authentication then user is allowed onto the ISP. > The ISP auth server would then pass the user authentication credentials (via > scripting or user profile configuration) to your gateway authentication > server. If user passes your gateway authentication , then your gateway > authentication server sends "ok" back to the user's VPN client, then a VPN > tunnel is set up to your gateway. This would probably involve some scripting > and/or proxying for the dial-up ISP authentication servers (in the case of > say, RADIUS) to talk with your auth server. > Authenticating your DSL/Cable users , of course, would be simpler. They > could authenticate directly to your gateway. > > One vendor I know of does this by caching a password in the client so the > user only needs to "know" one of the 2 passwords needed to get thru both > systems and into the VPN. > > > Keith > ----- Original Message ----- > From: > To: > Sent: Tuesday, January 01, 2002 4:56 PM > Subject: [vpn] authentication with vpn > > > > > > > > > > I want to deploy vpn service for home users to access to intranet network. > > > > Users will first connect through an ISP service, and then to an > authentication server to > > access to my intranet. With this solution, users must authenticate twice : > > - first to the ISP to authorize access to Internet > > - Second, to the authentication Gateway to authorize access to the > Intranet. > > > > Then, after authentication, we build vpn between home user and the > Gateway. With this > > solution, people have to learn 2 passwords ( for ISP and for my Gateway ). > > Has any body a solution to enter only one password ? > > > > > > VPN is sponsored by SecurityFocus.com > > > > VPN is sponsored by SecurityFocus.com From Patrick.Bryan at abbott.com Thu Jan 3 15:42:51 2002 From: Patrick.Bryan at abbott.com (Patrick.Bryan at abbott.com) Date: Thu, 3 Jan 2002 14:42:51 -0600 Subject: [vpn] Cisco 3002 series back to back Message-ID: Has anyone been able to establish a LAN to LAN connection using Cisco's 3002 series concentrators? ___ | 3002 | | <-- Internetwork 3002 | ------ ________________________________________ Patrick A. Bryan, CISSP Abbott Laboratories, Worldwide Network Services Dept 0070 Bldg. AP14B (p) (847) / 935 - 9226 (e) patrick.bryan at abbott.com ________________________________________ VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Thu Jan 3 14:47:00 2002 From: kent at dalliesin.com (Kent Dallas) Date: Thu, 3 Jan 2002 14:47:00 -0500 Subject: [vpn] authentication with vpn In-Reply-To: <20020101215641.8970.qmail@mail.securityfocus.com> Message-ID: <000601c1948f$69adda40$0800a8c0@DALLASDELL2K> Jean-Philippe, One other thought: You may want to investigate a compulsory L2TP solution. If you can find a service provider that supports such a solution in your area, the users would dial-in to a local ISP POP, but instead of getting Internet access, the NAS would forward RADIUS/CHAP authentication data to you. Once you authenticate the user, the user's PPP session would be forwarded to a L2TP network server on your network. You could then terminate the PPP session, assigning a private IP address, DNS server, and WINS server. This solution offers "Intranet" access across Internet facilities, with a "look and feel" just like logging on to the ISP itself. It is very easy for end users, as they don't have to do anything out of the ordinary. And it does not require any special VPN client to install or manage. If the user needs Internet access within the same session, you would have to proxy their HTTP requests from your internal network. Most compulsory L2TP solutions do not include encryption, so you will have less privacy than you would have with an IPsec solution. However, based on your description, security does not appear to be your top concern. If you desire an IPSec solution, you can have the ISP proxy the RADIUS authentication to a server you control. Then the Internet access and VPN could authenticate to the same database. Users would not have to learn two different passwords, but they would have to enter the same password twice. If you do end up with a solution using only one password, understand that the entire security of your system will be limited to the strength of the passwords chosen. In this case, I would strongly recommend some "end user training" on how to develop strong passwords. You can find much more detail on this topic at http://www.dalliesin.com/pswd.html. Best of luck, Kent Dallas -----Original Message----- From: jean-philippe.planquart at wanadoo.fr [mailto:jean-philippe.planquart at wanadoo.fr] Sent: Tuesday, January 01, 2002 4:57 PM To: vpn at securityfocus.com Subject: [vpn] authentication with vpn I want to deploy vpn service for home users to access to intranet network. Users will first connect through an ISP service, and then to an authentication server to access to my intranet. With this solution, users must authenticate twice : - first to the ISP to authorize access to Internet - Second, to the authentication Gateway to authorize access to the Intranet. Then, after authentication, we build vpn between home user and the Gateway. With this solution, people have to learn 2 passwords ( for ISP and for my Gateway ). Has any body a solution to enter only one password ? VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From forstrom at yahoo.com Thu Jan 3 17:52:33 2002 From: forstrom at yahoo.com (john forstrom) Date: Thu, 3 Jan 2002 14:52:33 -0800 (PST) Subject: [vpn] authentication with vpn In-Reply-To: <000601c1948f$69adda40$0800a8c0@DALLASDELL2K> Message-ID: <20020103225233.43120.qmail@web11604.mail.yahoo.com> If this type of solution is of interest to you I can help. You can respond to me at this email for more info. John Forstrom --- Kent Dallas wrote: > Jean-Philippe, > > One other thought: You may want to investigate a > compulsory L2TP solution. > > If you can find a service provider that supports > such a solution in your > area, the users would dial-in to a local ISP POP, > but instead of getting > Internet access, the NAS would forward RADIUS/CHAP > authentication data to > you. Once you authenticate the user, the user's PPP > session would be > forwarded to a L2TP network server on your network. > You could then > terminate the PPP session, assigning a private IP > address, DNS server, and > WINS server. > > This solution offers "Intranet" access across > Internet facilities, with a > "look and feel" just like logging on to the ISP > itself. It is very easy for > end users, as they don't have to do anything out of > the ordinary. And it > does not require any special VPN client to install > or manage. If the user > needs Internet access within the same session, you > would have to proxy their > HTTP requests from your internal network. > > Most compulsory L2TP solutions do not include > encryption, so you will have > less privacy than you would have with an IPsec > solution. However, based on > your description, security does not appear to be > your top concern. > > If you desire an IPSec solution, you can have the > ISP proxy the RADIUS > authentication to a server you control. Then the > Internet access and VPN > could authenticate to the same database. Users > would not have to learn two > different passwords, but they would have to enter > the same password twice. > > If you do end up with a solution using only one > password, understand that > the entire security of your system will be limited > to the strength of the > passwords chosen. In this case, I would strongly > recommend some "end user > training" on how to develop strong passwords. You > can find much more detail > on this topic at http://www.dalliesin.com/pswd.html. > > Best of luck, > Kent Dallas > > -----Original Message----- > From: jean-philippe.planquart at wanadoo.fr > [mailto:jean-philippe.planquart at wanadoo.fr] > Sent: Tuesday, January 01, 2002 4:57 PM > To: vpn at securityfocus.com > Subject: [vpn] authentication with vpn > > > > > > I want to deploy vpn service for home users to > access to intranet network. > > Users will first connect through an ISP service, and > then to an > authentication server to > access to my intranet. With this solution, users > must authenticate twice : > - first to the ISP to authorize access to Internet > - Second, to the authentication Gateway to authorize > access to the Intranet. > > Then, after authentication, we build vpn between > home user and the Gateway. > With this > solution, people have to learn 2 passwords ( for ISP > and for my Gateway ). > Has any body a solution to enter only one password ? > > > VPN is sponsored by SecurityFocus.com > > > > VPN is sponsored by SecurityFocus.com > __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com VPN is sponsored by SecurityFocus.com From paul at moquijo.com Thu Jan 3 18:10:46 2002 From: paul at moquijo.com (Paul Cardon) Date: Thu, 03 Jan 2002 18:10:46 -0500 Subject: [vpn] Cisco 3002 series back to back References: Message-ID: <3C34E4F6.4080401@moquijo.com> Patrick.Bryan at abbott.com wrote: > Has anyone been able to establish a LAN to LAN connection using Cisco's 3002 > series concentrators? > > ___ > | > 3002 > | > | <-- Internetwork > 3002 > | > ------ The 3002 is not a concentrator, it's a client in hardware form. -paul VPN is sponsored by SecurityFocus.com From guy.raymakers at eds.com Fri Jan 4 02:26:28 2002 From: guy.raymakers at eds.com (Raymakers, Guy) Date: Fri, 4 Jan 2002 07:26:28 -0000 Subject: [vpn] Nokia Crypto Cluster <-> Cisco 1720 Message-ID: Joel, I'm using the same setup, some CC2500 central and some Cisco 1720's remote. It appears that the IKE negotiations and IKE renewal take some time. Therefore, I see sometimes that there's a gap of +- 2 a 3 minutes in the connections between these two systems. I've done some checking on this and the only explanation I've found is that the Cisco box is setting up a new IKE SA just before the existing one is expiring. That seems to confuse the nokia box and that's when the VPN connection is lost for a while. Have you seen the same behavior ? Best regards, Guy -----Original Message----- From: Joel M Snyder [mailto:Joel.Snyder at Opus1.COM] Sent: Friday, December 28, 2001 20:05 To: Markus Schlup Cc: vpn at securityfocus.com Subject: Re: [vpn] Nokia Crypto Cluster <-> Cisco 1720 Our company wrote the training materials for the Nokia products. I'd be happy to help. Drop me an email. The short answer is that you should have no problems---the CC product line is very compliant with the RFCs, and while there are certain restrictions in the Cisco commands for setting this sort of stuff up, none of those will cause any grief with the Nokia boxes. jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) >I'm looking for somebody with experience in setting up >a VPN between the above mentioned VPN devices. I'm >still trying without any luck to get the two >communicate with each other. Searching the net did not >give me any hints. Any configs that you may share? >Thanks, >Markus >__________________________________________________ >Do You Yahoo!? >Send your FREE holiday greetings online! >http://greetings.yahoo.com >VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From mwroblewski at inkware.com Fri Jan 4 12:04:59 2002 From: mwroblewski at inkware.com (Mark Wroblewski) Date: Fri, 4 Jan 2002 09:04:59 -0800 Subject: [vpn] VPN Client recommendations with SonicWALL Pro Message-ID: I currently utilize a SonicWALL Pro Firewall/VPN solution at my business. I am interested in trying a new/better VPN client then the one SonicWALL provides from their website, as I find it to be a little buggy, especially with my users still running Windows98. The client will need to support IKE IPSec keying. I run the client side software on mostly Windows 2000 professional machines. But there are a couple of Windows 98 as well as one Win XP Pro client. Any suggestions would be greatly appreciated. Warmest Regards, Mark Wroblewski VPN is sponsored by SecurityFocus.com From lphifer at fast.net Fri Jan 4 12:25:42 2002 From: lphifer at fast.net (Lisa Phifer) Date: Fri, 04 Jan 2002 12:25:42 -0500 Subject: [vpn] ISP-Planet Managed VPN RFP Series Message-ID: <4.2.0.58.20020104120927.00ba9ee0@mail2.netreach.net> This may be of interest to member of this list: Last spring, ISP-Planet, an internet.com publication, issued an RFP for VPN appliances suitable for ISP delivery of managed security services to broadband-enabled SMBs. We used RFP responses to thin the crowd. The result: in-depth reviews of the managed VPN platforms proposed by NetScreen, RapidStream, and SonicWALL. To read these RFP responses and product reviews, and to register your opinion, see the series wrap-up: http://isp-planet.com/technology/vpn/vpn_conclusion.html Regards, Lisa Phifer Columnist, ISP-Planet (http://www.isp-planet.com) Consultant, Core Competence, Inc. (http://www.corecom.com) VPN is sponsored by SecurityFocus.com From dmercurio at ccgsecurity.com Fri Jan 4 14:11:34 2002 From: dmercurio at ccgsecurity.com (Dante Mercurio) Date: Fri, 4 Jan 2002 14:11:34 -0500 Subject: [vpn] Using VPN for point-to-point redundancy Message-ID: <03EA8EE1BD1FAD46A6AB4525406795E1012C08@ct2001.webcti.local> Here's a link to a presentation I did giving details on how to setup systems to use a VPN line as a redundant connection for point-to-point or frame connections. The routers were Cisco, and the VPN device I used was a WatchGuard firewall though other devices would probably need to be set up similiarly. It was a proof of concept presentation for a customer. The presentation is at: www.ccgsecurity.com middle of page under Presentations & Papers, #2 If you'd like a .ppt version of the presentation, please email me. Thanks, M. Dante Mercurio, CCNA, MCSE+I, CCSA Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com dmercurio at ccgsecurity.com VPN is sponsored by SecurityFocus.com From Beau.Storch at cshs.org Mon Jan 7 17:12:00 2002 From: Beau.Storch at cshs.org (Storch, Beau) Date: Mon, 7 Jan 2002 14:12:00 -0800 Subject: [vpn] Fwd: Re: VPN question, please Message-ID: I'm using Cisco VPN from home via AT&T Broadband and it works fine. I did however read an article about ISP's wanting to charge extra for VPN support. Basically they want to gain more revenue for you using a VPN solution. Doesn't sound fair to me. Beau Storch Network Management Engineer Enterprise Information Services CEDARS-SINAI HEALTH SYSTEM 8723 Alden Drive, SSB - 3 Los Angeles, California 90048 Telephone 310.423.6672 Facsimile 310.423.0112 Email Beau.Storch at cshs.org -----Original Message----- From: Little, Mike (BHS) [mailto:MLittle at bhsi.com] Sent: Monday, January 07, 2002 2:01 PM To: 'Ryan Russell'; Skip Schnable Cc: vpn at securityfocus.com Subject: RE: [vpn] Fwd: Re: VPN question, please Ryan and all, We are using it in my area (Louisville, KY) with much success. We have Nortel's Contivity product (CES 2000) and most of our IS support staff who have cable modems use the Nortel VPN client to tunnel in. Good luck, Mike Little Network Services Baptist Healthcare System (502)896-3095 > -----Original Message----- > From: Ryan Russell [SMTP:ryan at securityfocus.com] > Sent: Monday, January 07, 2002 3:22 PM > To: Skip Schnable > Cc: vpn at securityfocus.com > Subject: Re: [vpn] Fwd: Re: VPN question, please > > > I am planning to establish a home office and will need to access my > > company's network, preferably through a VPN connection over the > > Internet. I have broadband (cable modem) internet access at home. My > > associate thinks I can not use a VPN connection because there is a > > protocol incompatibility between any VPN and cable modem internet > > connectivity. Does this sound accurate to you? Thank you very much for > > any insights you might provide. > > Several cable Internet providers have a *policy* against using a VPN > across their home service. They want to you buy the business service, > which is something like twice as much. However, previous discussions on > this list have indicated that this isn't the same thing as the VPN doesn't > work, it still works fine in most cases. The unanswered questions is what > happens one day if they get around to cutting it off, or find out you're > using one. Worst case, I think you'd lose your service, or be liable for > some extra service charges. > > Were it I, I would go ahead and just do it, and see what happens. Of > course, I can't officially advise you to violate policy. > > Ryan > > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From RAJones at West.com Mon Jan 7 18:52:17 2002 From: RAJones at West.com (Jones, Ron A) Date: Mon, 7 Jan 2002 17:52:17 -0600 Subject: [vpn] Windows ME, AOL 6 & 7, Certificates Message-ID: <8CE122EE5B188A4A9A4C356187B909040452F8@oma-2kex02.wtc.com> I am using the Cisco 3.1 and 3.5 VPN Client to connect to a 3015 running the 3.5 code. I am able to successfully connect using all the Microsoft Clients and major ISP's using certificates with one exception Windows ME and AOL 6.0 or 7.0. Other scenarios work 95, 98SE, 2000 with AOL 6 and 7 with certificates. Windows ME with MSN works with certificates but not ME using certificates and AOL. When using this combination must times the system blows up. Has anyone had success with this scenario or know why it does not work or (can't work)? VPN is sponsored by SecurityFocus.com From guy.raymakers at eds.com Tue Jan 8 02:04:26 2002 From: guy.raymakers at eds.com (Raymakers, Guy) Date: Tue, 8 Jan 2002 07:04:26 -0000 Subject: [vpn] Nokia Crypto Cluster <-> Cisco 1720 Message-ID: Alberto, We are talking about the Cryptocluster, but maybe there same issue exists between Cisco and other VPN boxes. I've ran some ping tools and found that exactly every 8 hours, the communication is interrupted for a small amount of time (1 a 2 min). The 8 hours is exactly the lifetime of the IKE SA. Also, there's some issue if the Cisco router still has an SA (IKE and IPSEC) and the Cryptocluster has lost the SA's (due to reboot or failure or...). At that moment there will be no connection until the IKE SA expires on the Cisco router. This behavior is caused by the fact that Cisco doesn't accept the new IKE proposal, considers this as a possible attack and hence discards the new connection attempts .... Best regards, Guy -----Original Message----- From: Cardona, Alberto [mailto:alberto.cardona at cnacm.com] Sent: Monday, January 07, 2002 22:19 To: 'Joel M Snyder' Cc: Raymakers, Guy; Markus Schlup Subject: RE: [vpn] Nokia Crypto Cluster <-> Cisco 1720 No, I am talking about the Nokia IPXXX line. but still is doesn't matter. IKE is IKE (Unless it's not FULLY written to the RFC. Hint Cisco). I included the FW1 mailing list just incase someone there is having IPSec problems regarding SAs. I hope my info helped. AC -----Original Message----- From: Joel M Snyder [mailto:Joel.Snyder at Opus1.COM] Sent: Monday, January 07, 2002 1:16 PM To: Cardona, Alberto Cc: 'Raymakers, Guy'; 'Joel M Snyder'; Markus Schlup Subject: RE: [vpn] Nokia Crypto Cluster <-> Cisco 1720 Just curious: you are talking about Nokia, as in the CryptoCluster stuff, right? I noticed that you added the FW1 mailing list into the mix, and that's a whole different product. It's from Check Point. jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One VPN is sponsored by SecurityFocus.com From M.Ghirardi at ads.it Wed Jan 9 07:46:07 2002 From: M.Ghirardi at ads.it (M.Ghirardi at ads.it) Date: Wed, 9 Jan 2002 13:46:07 +0100 Subject: [vpn] IPsec from a Novell BorderManager to a Third-Party VPN Server Message-ID: Could you give more inform ation obout : Public value length-Length of the third-party server's Diffie-Hellman public value, in bytes. Public value in BER-Third-party server's Diffie-Hellman public value, in BER format. 1024-bit values are supported I don't know how to generte the password in BER format. Could you help me ? VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Jan 9 08:39:42 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 9 Jan 2002 07:39:42 -0600 (CST) Subject: [vpn] [fw-wiz] RE: CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Serverand Outlook (fwd) Message-ID: Hi list -- Apologies to those of you who already saw this posting on Firewall-Wizards, but it's such a >great< discussion of NAT issues between Firewall-1, SecuRemote, and Microsoft Exchange that I thought I should forward it on. cheers -- tbird "I was being patient, but it took too long." - Anya, "Buffy the Vampire Slayer" Log Analysis: http://www.counterpane.com/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html ---------- Forwarded message ---------- Date: Tue, 8 Jan 2002 14:53:59 -0700 From: Adam Hudson To: Patrick.Archbold at schenkerusa.com Cc: "Aaron Shilts (Aaron Shilts)" , firewall-wizards at nfr.com, firewalls at lists.gnac.net Subject: [fw-wiz] RE: CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Serverand Outlook Actually, the problem really is caused by some design flaws in SecuRemote, FW-1 IP NAT Pool and MS Exchange Server. Here are the CheckPoint issues: 1. The VPN infrastructure in Firewall-1 is really designed to allow inbound connections from the client workstations. It is not designed to allow traffic originating from the protected network to the clients. In other words, there are no state mechanisms or methods of rule building for outbound traffic (see next two points). See the PhoneBoy FAQ for more information, http://www.phoneboy.com/faq/0164.html 2. The IP Pool NAT feature available for SecuRemote connections is completely inadequate. The translation of the SecuRemote traffic happens prior to an evaluation on the rulebase, therefore building a rule to allow traffic destined to the NAT pool (as you would naturally want to do) does not work. The packet is translated to the "whatever SecuRemote address" before your rulebase gets control to allow it. This is also evident in the CP Log Viewer, as the client's IP address is what is used, instead of the pool assigned address. Furthermore, when a SecuRemote client actually conducts traffic destined for the firewall itself (ie. SSH to Nokia IPSO), the translation doesn't happen at all! 3. When utilizing SecuRemote from behind a NAT device, the client uses UDP encapsulation. This causes the firewall to truly see the client as the private address it possesses behind the NAT device. Now that we have outlined the above three problems, let's apply it to the operation of Exchange Server (which is somewhat bad design also): * Microsoft Exchange server uses a dynamic set of ports for inbound MAPI connections (Outlook clients). By default this is a problem, but they can be nailed down by registry settings to allow control via the firewall. * The new mail notification feature is achieved by the Outlook client informing the Exchange server of its IP address somewhere in the MAPI communication payload. From that point forward, the Exchange server sends UDP packets greater than port 1024 to that IP address to notify the client when a new message has arrived. * Simply allowing high port UDP communication outbound from the Exchange server does not work. This is because you cannot nail down the Destination side of the rule for SecuRemote clients as there is no "User Access" specification allowed on the destination. You cannot target the IP NAT Pool as the destination because of the translation problem (see item 2 above). And, last but not least, you cannot specify the SecuRemote clients by IP address, because they can come from anywhere on the net! * Allowing high port UDP communication from the Exchange server to ANY destination is a bit of a security risk, but won't get the job done either. Uninitiated traffic to the SecuRemote client gets accepted by the rule base, logged and possibly sent down the tunnel. However, either the SecuRemote client doesn't actually allow it to be processed, or FW-1 doesn't actually send it down the tunnel. I have not spent the time with Sniffer to figure this one out fully. Aside from the MS Exchange Server issue we have been discussing, there is one additional and deadly problem with SecuRemote. When a user is connected to the VPN via IKE over UDP, their private address is used by the firewall for communication. For example, let's say the client was using 10.0.0.1 (which is somewhat common). For the duration of their session to the firewall, another client using the same private IP address from behind a NAT device cannot also connect. Why? Because the firewall truly knows you as the 10.0.0.1 address and not your NAT hide address (from client side NAT device), nor your IP NAT Pool address. If the user is utilizing a public IP address, everything is fine. The failing topology would look like this: [Client 1] --- [NAT dev]----+ 10.0.0.1 | INET---[FW-1] | [Client 2] --- [NAT dev]----+ 10.0.0.1 All of this information pertains to the 4.1 SP5 platform. I have not had time to test under the NG release. Adam Hudson Networking and Security Consultant Office 720-348-0564 Fax 720-294-0778 -----Original Message----- From: Patrick Archbold [mailto:patrick.archbold at schenkerusa.com] Sent: Tuesday, January 08, 2002 1:32 PM To: Adam Hudson Subject: RE: CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Serverand Outlook Adam, Thank you for reading this. I saw your postings regarding the securemote / outlook / exchange problems. I am having the exact same problem. I was wondering if you ever found a solution to the problem? Thank you for your time. Patrick Archbold IT Infrastructure Manager Schenker IT 150 Albany Ave Freeport, NY 11520 516-403-5455 _______________________________________________ firewall-wizards mailing list firewall-wizards at nfr.com http://list.nfr.com/mailman/listinfo/firewall-wizards VPN is sponsored by SecurityFocus.com From mcschlup at yahoo.com Thu Jan 10 06:17:47 2002 From: mcschlup at yahoo.com (Markus Schlup) Date: Thu, 10 Jan 2002 03:17:47 -0800 (PST) Subject: [vpn] Nokia Crypto Cluster <-> Cisco 1720 In-Reply-To: <01KCEG46O0EA91VRD5@Opus1.COM> Message-ID: <20020110111747.62109.qmail@web13608.mail.yahoo.com> thanks to those that responded to my original question. In the meantime I got it working with preshared keys authentication. My original intention though was to do it with certificate based authentication using the CA facilities implemented in the Nokia boxes. But I didn't find out how I could manually import a certificate to the Cisco router. Is it only possible through online enrollment (SCEP)? regards, Markus --- Joel M Snyder wrote: > Our company wrote the training materials for the > Nokia > products. I'd be happy to help. Drop me an email. > The short answer is that you should have no > problems---the > CC product line is very compliant with the RFCs, and > while > there are certain restrictions in the Cisco commands > for > setting this sort of stuff up, none of those will > cause any > grief with the Nokia boxes. > > jms > > > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, > 85719 > Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 > (FAX) > > >I'm looking for somebody with experience in setting > up > >a VPN between the above mentioned VPN devices. I'm > >still trying without any luck to get the two > >communicate with each other. Searching the net did > not > >give me any hints. Any configs that you may share? > > >Thanks, > >Markus > > >__________________________________________________ > >Do You Yahoo!? > >Send your FREE holiday greetings online! > >http://greetings.yahoo.com > > >VPN is sponsored by SecurityFocus.com > __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ VPN is sponsored by SecurityFocus.com From Ronny.Egner at siv.de Thu Jan 10 11:10:00 2002 From: Ronny.Egner at siv.de (Ronny Egner) Date: Thu, 10 Jan 2002 17:10:00 +0100 Subject: [vpn] please help !!; FreeS/WAN Message-ID: <3C3DBCD8.B94621EF@siv.de> Hi, my test-network looks like this: Intranet (172.23.0.0/16) | | | Gateway (172.23.1.146 internal; 192.168.0.1 external) | | | Client (192.168.0.2; untrusted net) My /etc/ipsec.conf contains: config setup #interfaces="ipsec0=eth0:1" interfaces=%defaultroute klipsdebug=none plutodebug=all plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=1 authby=secret conn rw-vpn type=tunnel left=172.23.1.146 leftsubnet=172.23.0.0/16 leftnexthop=192.168.0.1 right=0.0.0.0 keyexchange=ike compress=no authby=secret pfs=yes keylife=60m ikelifetime=240m rekeymargin=10m auto=add On Client-Side 192.168.0.1 is the VPN-Gateway. I am using a shared secret. As VPN-Client works SSHSentinel. I cant establish a VPN-Connection !! FreeSWAN complains about "message recieved on 192.168.0.1:500 but no connection has been authorized". My ipsec.sectet contain: 0.0.0.0 [space] 0.0.0.0: PSK "test" [one blank line] Any help ??? Thanks. Ronny VPN is sponsored by SecurityFocus.com From sandy at storm.ca Thu Jan 10 18:28:56 2002 From: sandy at storm.ca (Sandy Harris) Date: Thu, 10 Jan 2002 18:28:56 -0500 Subject: [vpn] please help !!; FreeS/WAN References: <3C3DBCD8.B94621EF@siv.de> Message-ID: <3C3E23B8.1F7D41BB@storm.ca> Ronny Egner wrote: > > Hi, Questions specifically about FreeS/WAN should usually go to the FreeS/WAN lists rather than this general VPN list. For subscription info, see: http://www.freeswan.org/mail.html or doc/mail.html in your FreeS/WAN distribution. > I cant establish a VPN-Connection !! > FreeSWAN complains about "message recieved on 192.168.0.1:500 > but no connection has been authorized". That message is discussed in the FAQ: http://www.freeswan.org/freeswan_trees/freeswan-1.94/doc/faq.html#noconn.auth or doc/faq.html in the distro. > My ipsec.sectet contain: > > 0.0.0.0 [space] 0.0.0.0: PSK "test" > [one blank line] That doesn't look right. I'd expect to see an IP address for at least one end. VPN is sponsored by SecurityFocus.com From dreadnought at arsenal.net Sat Jan 12 18:56:45 2002 From: dreadnought at arsenal.net (Mark Spencer) Date: Sat, 12 Jan 2002 18:56:45 -0500 Subject: [vpn] IPSec on LAN w/ Windows 2000 Pro? Message-ID: <001901c19bc4$cb424de0$0100007f@RMTSUFAJE> I've got a couple Windows 2000 Professional machines at home and was going to use them to start playing with IPSec. I downloaded the IPSec lab from Microsoft (http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps. asp) and was concerned about the prerequisites they have listed: "This guide is designed as a lab for network and system administrators to gain understanding and knowledge of how Windows 2000 IPSec works. You can configure an IP security policy locally on each computer, and then implement this policy and test the results to see secure network communications. To complete this walkthrough, you need the following hardware: Two computers running the Windows 2000 operating system. You can use two Windows 2000 Professional systems as the domain members, one to act as a client and the other as a server in the IPSec sense. The two test systems must be members of the same (or a trusted) domain. A Windows 2000 Server domain controller. A LAN or WAN to connect these three computers." Since I'm not running a W2K Server, and thus am not running a domain in my home but a workgroup, I gather most of this lab will not apply to me. Anyone have recommendations on how a beginner should go about setting up IPSec on a LAN without having Windows 2000 Server? What I would like to do at first is secure all communications between the W2K clients at the network layer, and then move into configuring IPSec on wireless clients as recommended to me in a prior thread regarding wireless security. Thanks! Mark ---------------------------------------------------- Sign Up for NetZero Platinum Today Only $9.95 per month! http://my.netzero.net/s/signup?r=platinum&refcd=PT97 VPN is sponsored by SecurityFocus.com From sandy at storm.ca Sun Jan 13 20:42:24 2002 From: sandy at storm.ca (Sandy Harris) Date: Sun, 13 Jan 2002 20:42:24 -0500 Subject: [vpn] IPSec on LAN w/ Windows 2000 Pro? References: <001901c19bc4$cb424de0$0100007f@RMTSUFAJE> Message-ID: <3C423780.F15A303@storm.ca> Mark Spencer wrote: > > I've got a couple Windows 2000 Professional machines at home and was going > to use them to start playing with IPSec. ... > To complete this walkthrough, you need the following hardware: > > Two computers ... > > A Windows 2000 Server domain controller. ... > Anyone have recommendations on how a beginner should go about setting up > IPSec on a LAN without having Windows 2000 Server? ... Have a look at the Samba project, www.samba.org. This is an Open Source implementation of the SMB (Server Message Block) protocol Microsoft uses for most Windows services. Samba is widely used for things like file and printer sharing between Linux and Windows, and works just fine for that. A machine running Linux and Samba can also replace an NT or 2K domain controller for some purposes. I don't know the details and in particular I'm not sure how Samba might interact with Win 2000 IPsec. If you find out, please post. Of course you might also consider using an Open Source IPsec server such as Linux FreeS/WAN (www.freeswan.org) or the IPsec built into a BSD Unix (www.freebsd.org, www.netbsd.org or www.openbsd.org). For info on making FreeS/WAN work with Win 2000 IPsec, see: http://www.freeswan.org/freeswan_trees/freeswan-1.94/doc/interop.html#win2k VPN is sponsored by SecurityFocus.com From dparmer at dsscorp.com Mon Jan 14 09:17:04 2002 From: dparmer at dsscorp.com (dparmer at dsscorp.com) Date: Mon, 14 Jan 2002 09:17:04 -0500 Subject: [vpn] Checkpoint/Netscreen VPN IKE Error Messages Message-ID: Hello, We are having trouble for the past few weeks trying to get a Netscreen 5 to an NT 4.0 Checkpoint 4.1 SP5 site to site VPN operational. Generally IKE Phase 1 completes between the firewalls, but only very infrequently does IKE Phase 2 compete between the firewalls, according to the Checkpoint and Netscreen logs. When Phase 2 does complete, outbound traffic is encrypted but the return decrypts do not come back. We have encryption schemes identical for Phase 1 & Phase 2 between the Checkpoint & Netscreen boxes. When Phase 2 does not complete, messages in the log viewer include "Received delete SA from Peer" and "Received Notification from Peer: payload malformed", with the source address being the Checkpoint firewall and the destination being the Netscreen. Just for kicks, we tried creating a VPN connection to two other Checkpoint 4.1 sites (one had NT 4.0 using 4.1 SP2 and another had W2K using 4.1 SP5) using the same Netscreen 5 box with identical encryption properties, and both Phase 1 & Phase 2 became operational, and traffic was being encrypted and decrypted in both directions. Thus I eliminated the possibility that the Netscreen may be the issue. I then compared a few files on the various firewalls (crypt.def, objects.C), and could not find anything except cosmetic items that were different. I also tried the various debugging tools (fw monitor, fw -d d, FWIKE_DEBUG), and have examined the resultant file output, and was not able to decipher anything enlightening from these files, although I must admit that I don't know exactly what kind of packet flow or sequencing I should be looking for. Thanks in advance for any assistance. ============================ Dave Parmer Distributed Systems Services 610-927-2026 dparmer at dsscorp.com VPN is sponsored by SecurityFocus.com From rdaher at harris.com Mon Jan 14 23:30:24 2002 From: rdaher at harris.com (Daher, Rabih) Date: Mon, 14 Jan 2002 23:30:24 -0500 Subject: [vpn] VPN Vendor list Message-ID: <2548B1848059D211B97800A0C9DFB77C05C65726@dts233-16.dts.harris.com> Hi all, I am doing a research about the different VPN solutions (software, Hardware, both) and correspondig vedonrs. Does anyone have a new VPN vendors list. Any hint how I can get access to such info. Also I am looking for some VPN RFPs (Request for proposal) (or RFP responses) to check the criterias and reqirement for the current VPN solutions. All info can help but I am certainly interested in RFPs that fits the broadband wireless access (BWA) technology. Any help in this regards will be highly appreciated. Very Respectfullly Rabih Rabih Daher, M.Eng BWA Senior Networking Engineer HARRIS Microwave Communications Division e-mail) : rdaher at harris.com (tel) : (514) 421-8438 (fax) : (514) 421-1597 VPN is sponsored by SecurityFocus.com From phil at vpnlabs.org Mon Jan 14 23:56:52 2002 From: phil at vpnlabs.org (Phil McGarr) Date: Mon, 14 Jan 2002 20:56:52 -0800 Subject: [vpn] VPN Vendor list In-Reply-To: <2548B1848059D211B97800A0C9DFB77C05C65726@dts233-16.dts.harris.com> Message-ID: Rabih, We have a fairly comprehensive list of VPN vendors at http://www.vpnlabs.org/vpn-categories/Products-Services/46/index.html . Here are some VPN RFP Resources: Network Computing: http://networkcomputing.telezoo.com/asp/sc/sc.asp?idcats=748&history=^709^71 6 InfoWorld: http://iwsun4.infoworld.com/articles/tc/xml/01/05/07/010507tcvpnsoftware.xml ISP-Planet: This is by Lisa Phifer, it's really the best VPN RFP study I've seen on the Net. http://www.isp-planet.com/technology/index_vpn.html Hope this helps! cheers, Phil McGarr http://www.vpnlabs.org/ -----Original Message----- From: Daher, Rabih [mailto:rdaher at harris.com] Sent: Monday, January 14, 2002 8:30 PM To: vpn at securityfocus.com Subject: [vpn] VPN Vendor list Hi all, I am doing a research about the different VPN solutions (software, Hardware, both) and correspondig vedonrs. Does anyone have a new VPN vendors list. Any hint how I can get access to such info. Also I am looking for some VPN RFPs (Request for proposal) (or RFP responses) to check the criterias and reqirement for the current VPN solutions. All info can help but I am certainly interested in RFPs that fits the broadband wireless access (BWA) technology. Any help in this regards will be highly appreciated. Very Respectfullly Rabih Rabih Daher, M.Eng BWA Senior Networking Engineer HARRIS Microwave Communications Division e-mail) : rdaher at harris.com (tel) : (514) 421-8438 (fax) : (514) 421-1597 VPN is sponsored by SecurityFocus.com -----Original Message----- From: Daher, Rabih [mailto:rdaher at harris.com] Sent: Monday, January 14, 2002 8:30 PM To: vpn at securityfocus.com Subject: [vpn] VPN Vendor list Hi all, I am doing a research about the different VPN solutions (software, Hardware, both) and correspondig vedonrs. Does anyone have a new VPN vendors list. Any hint how I can get access to such info. Also I am looking for some VPN RFPs (Request for proposal) (or RFP responses) to check the criterias and reqirement for the current VPN solutions. All info can help but I am certainly interested in RFPs that fits the broadband wireless access (BWA) technology. Any help in this regards will be highly appreciated. Very Respectfullly Rabih Rabih Daher, M.Eng BWA Senior Networking Engineer HARRIS Microwave Communications Division e-mail) : rdaher at harris.com (tel) : (514) 421-8438 (fax) : (514) 421-1597 VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Alan.Trevillion at bankofamerica.com Tue Jan 15 05:48:57 2002 From: Alan.Trevillion at bankofamerica.com (Trevillion, Alan) Date: Tue, 15 Jan 2002 10:48:57 +0000 Subject: [vpn] IPSEc and IKE documentation ? Message-ID: <711B34371492D411908B00508BF9BE2E010E0840@ecu.bankofamerica.com> I just wondered if the are any > schematic diagrams that show the process and packet flow of IKE initial > communication and IPSec SA connections ? , it seems very hard to get good > documentation on this. > > Thanks in advance > > -Alan _____________________________________________________________________ Notice to recipient: This e-mail is meant for only the intended recipient of the transmission, and may be a communication privileged by law. If you received this e-mail in error, any review, use, dissemination, distribution, or copying of this e-mail is strictly prohibited. When addressed to our clients any opinions or advice contained in this internet e-mail are subject to the terms and conditions expressed in any applicable governing terms of business or client engagement letter issued by Bank of America. Both Bank of America, N.A and Banc of America Securities Limited are regulated by The Financial Services Authority. _____________________________________________________________________ VPN is sponsored by SecurityFocus.com From jmuniz at loudcloud.com Tue Jan 15 12:22:08 2002 From: jmuniz at loudcloud.com (Jose Muniz) Date: Tue, 15 Jan 2002 09:22:08 -0800 Subject: [vpn] Checkpoint/Netscreen VPN IKE Error Messages References: Message-ID: <3C446540.B838F4DB@loudcloud.com> Have you tried using different Diffie Hellman groups? Checkpoint only support DH group 1 i think,. Are your P2 proxy ID's matching? Jose. dparmer at dsscorp.com wrote: > Hello, > > We are having trouble for the past few weeks trying to get a Netscreen 5 to > an NT 4.0 Checkpoint 4.1 SP5 site to site VPN operational. Generally IKE > Phase 1 completes between the firewalls, but only very infrequently does > IKE Phase 2 compete between the firewalls, according to the Checkpoint and > Netscreen logs. When Phase 2 does complete, outbound traffic is encrypted > but the return decrypts do not come back. We have encryption schemes > identical for Phase 1 & Phase 2 between the Checkpoint & Netscreen boxes. > When Phase 2 does not complete, messages in the log viewer include > "Received delete SA from Peer" and "Received Notification from Peer: > payload malformed", with the source address being the Checkpoint firewall > and the destination being the Netscreen. > > Just for kicks, we tried creating a VPN connection to two other Checkpoint > 4.1 sites (one had NT 4.0 using 4.1 SP2 and another had W2K using 4.1 SP5) > using the same Netscreen 5 box with identical encryption properties, and > both Phase 1 & Phase 2 became operational, and traffic was being encrypted > and decrypted in both directions. Thus I eliminated the possibility that > the Netscreen may be the issue. > > I then compared a few files on the various firewalls (crypt.def, > objects.C), and could not find anything except cosmetic items that were > different. I also tried the various debugging tools (fw monitor, fw -d d, > FWIKE_DEBUG), and have examined the resultant file output, and was not able > to decipher anything enlightening from these files, although I must admit > that I don't know exactly what kind of packet flow or sequencing I should > be looking for. > > Thanks in advance for any assistance. > > ============================ > Dave Parmer > Distributed Systems Services > 610-927-2026 > dparmer at dsscorp.com > > VPN is sponsored by SecurityFocus.com -- Jose Muniz Network Engineering Loudcloud, Inc. (408)744-7583 Direct page-jmuniz at loudcloud.com ------------------------- http://www.loudcloud.com VPN is sponsored by SecurityFocus.com From odhienx at yahoo.com Tue Jan 15 17:13:31 2002 From: odhienx at yahoo.com (odhienx) Date: Tue, 15 Jan 2002 14:13:31 -0800 (PST) Subject: [vpn] freebsd as gateway and firewall VPN Message-ID: <20020115221331.17262.qmail@web11603.mail.yahoo.com> hi i need information or explaination about VPN is it freebsd can be used as gateway and firewall VPN ? how ? thanks -salihin- ===== TMTOWTDI="There's More Than One Way To Do IT" forward :salihin at engineer.com __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ VPN is sponsored by SecurityFocus.com From phil at vpnlabs.org Tue Jan 15 19:22:44 2002 From: phil at vpnlabs.org (Phil McGarr) Date: Tue, 15 Jan 2002 16:22:44 -0800 Subject: [vpn] freebsd as gateway and firewall VPN In-Reply-To: <20020115221331.17262.qmail@web11603.mail.yahoo.com> Message-ID: FreeBSD can be used as a VPN gateway. Take a look at our guides: http://www.vpnlabs.org/vpn-categories/VPN/32/index.html good luck, Phil http://www.vpnlabs.org/ -----Original Message----- From: odhienx [mailto:odhienx at yahoo.com] Sent: Tuesday, January 15, 2002 2:14 PM To: vpn at securityfocus.com Subject: [vpn] freebsd as gateway and firewall VPN hi i need information or explaination about VPN is it freebsd can be used as gateway and firewall VPN ? how ? thanks -salihin- ===== TMTOWTDI="There's More Than One Way To Do IT" forward :salihin at engineer.com __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From nick at trendwhore.com Wed Jan 16 16:06:46 2002 From: nick at trendwhore.com (Nick Messick) Date: Wed, 16 Jan 2002 13:06:46 -0800 Subject: [vpn] Can I have a VPN like this? Message-ID: <3C45EB66.4060508@trendwhore.com> I have a Cisco 2600 router with a NT4.0 server behind it. My network is a bunch of win2k machines hooked into a switch that the NT server and the router are also hooked into. All the Win2k have 10.0.0.* address by way of the NT server. Is is possible for me to make a win2k machine behind the firewall be the VPN/PPTP server? And if so does anyone know where I might find help on doing it that way? VPN is sponsored by SecurityFocus.com From phil at vpnlabs.org Wed Jan 16 18:44:53 2002 From: phil at vpnlabs.org (Phil McGarr) Date: Wed, 16 Jan 2002 15:44:53 -0800 Subject: [vpn] Can I have a VPN like this? In-Reply-To: <3C45EB66.4060508@trendwhore.com> Message-ID: Yes it is possible. Here is a link to some resources.: http://www.vpnlabs.org/vpn-categories/2000/39/index.html Good luck, Phil http://www.vpnlabs.org/ -----Original Message----- From: Nick Messick [mailto:nick at trendwhore.com] Sent: Wednesday, January 16, 2002 1:07 PM To: vpn at securityfocus.com Subject: [vpn] Can I have a VPN like this? I have a Cisco 2600 router with a NT4.0 server behind it. My network is a bunch of win2k machines hooked into a switch that the NT server and the router are also hooked into. All the Win2k have 10.0.0.* address by way of the NT server. Is is possible for me to make a win2k machine behind the firewall be the VPN/PPTP server? And if so does anyone know where I might find help on doing it that way? VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Fri Jan 18 23:52:42 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Fri, 18 Jan 2002 22:52:42 -0600 (CST) Subject: [vpn] whoops Message-ID: Hi all -- I've had server problems for a few days. If you've submitted messages to the list since Wednesday and haven't seen them, >please< repost. I think things are sorted out now. thanks very much for your patience -- tbird -- "I was being patient, but it took too long." - Anya, "Buffy the Vampire Slayer" Log Analysis: http://www.counterpane.com/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribe at securityfocus.com For additional commands, e-mail: loganalysis-help at securityfocus.com VPN is sponsored by SecurityFocus.com From kevin.phillips at barco.com Sun Jan 20 14:46:38 2002 From: kevin.phillips at barco.com (Phillips, Kevin) Date: Sun, 20 Jan 2002 14:46:38 -0500 Subject: [vpn] Planing a VPN - Are we doing the best thing ? Message-ID: <614780D1A9E7D21195970060976A10C14F374F@ludmex01.barco.com> I have an office of 35 people and need to connect to 2 other offices of similar size. We will also have about 30 people total that will need access from home and on the road. The parent company IT group tell us we need to use the PIX 506 plus a 2000 server running ISA for the firewall/VPN. I get the impression that the 506 is not big enough and that a 515 is more suitable. I have looked around on vpnlabs.org and found a lot of info but still need a dummies guide to VPN. Thanks all, Kevin Phillips IT Systems technician Barco Graphics 40 Westover Road Ludlow, MA 01056 kevin.phillips at barco.com VPN is sponsored by SecurityFocus.com From samwun at yahoo.com Sun Jan 20 23:44:35 2002 From: samwun at yahoo.com (Sam Wun) Date: Sun, 20 Jan 2002 20:44:35 -0800 (PST) Subject: [vpn] OpenBSD VPN compatiblity with other commercial VPNs Message-ID: <20020121044435.43015.qmail@web13501.mail.yahoo.com> Hi, I am wondering whether OpenBSD VPN is compatible with other commercial VPNs such as NetScreen, ServGate? I am using OpenBSD 3.0 at the moment. Thanks sam __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ VPN is sponsored by SecurityFocus.com From guy.raymakers at eds.com Mon Jan 21 03:25:43 2002 From: guy.raymakers at eds.com (Raymakers, Guy) Date: Mon, 21 Jan 2002 08:25:43 -0000 Subject: [vpn] Moving a RSA Key Pair Message-ID: Hi, Following situation : a Cisco router used for VPN (IPSec) is using RSA_ENCR as authentication method. This is using Shared Public Key's. To use this method, a key-pair must be created on each involved Cisco router. The problem is that if one of the routers has a hardware failure and need to be replaced that also the key-pair on that router is lost. Is there a way to retrieve from the old router (before it broke) the key-pair and put it on the new router ? The ideal solution for this problem is the usage of PKI's, but in some cases (small VPN networks) the cost would be to high ..... so hence my question ... Thanks, Guy -------------- next part -------------- A non-text attachment was scrubbed... Name: Raymakers, Guy.vcf Type: application/octet-stream Size: 461 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20020121/d5349c49/attachment.obj -------------- next part -------------- VPN is sponsored by SecurityFocus.com From Alan.Trevillion at bankofamerica.com Mon Jan 21 02:53:13 2002 From: Alan.Trevillion at bankofamerica.com (Trevillion, Alan) Date: Mon, 21 Jan 2002 07:53:13 +0000 Subject: [vpn] FW: IPSEc and IKE documentation ? Message-ID: <711B34371492D411908B00508BF9BE2E010E0859@ecu.bankofamerica.com> > -----Original Message----- > From: Trevillion, Alan > Sent: 15 January 2002 10:49 > To: 'vpn at securityfocus.com' > Subject: IPSEc and IKE documentation ? > > > I just wondered if the are any > > schematic diagrams that show the process and packet flow of IKE initial > > communication and IPSec SA connections ? , it seems very hard to get > good > > documentation on this. > > > > Thanks in advance > > > > -Alan > > _____________________________________________________________________ Notice to recipient: This e-mail is meant for only the intended recipient of the transmission, and may be a communication privileged by law. If you received this e-mail in error, any review, use, dissemination, distribution, or copying of this e-mail is strictly prohibited. When addressed to our clients any opinions or advice contained in this internet e-mail are subject to the terms and conditions expressed in any applicable governing terms of business or client engagement letter issued by Bank of America. Both Bank of America, N.A and Banc of America Securities Limited are regulated by The Financial Services Authority. _____________________________________________________________________ VPN is sponsored by SecurityFocus.com From dgillett at deepforest.org Mon Jan 21 04:58:22 2002 From: dgillett at deepforest.org (dgillett at deepforest.org) Date: Mon, 21 Jan 2002 01:58:22 -0800 Subject: [vpn] Planing a VPN - Are we doing the best thing ? In-Reply-To: <614780D1A9E7D21195970060976A10C14F374F@ludmex01.barco.com> Message-ID: <3C4B75BE.2901.D6613AB@localhost> On 20 Jan 2002, at 14:46, Phillips, Kevin wrote: > I have an office of 35 people and need to connect to 2 other > offices of similar size. We will also have about 30 people total > that will need access from home and on the road. > > The parent company IT group tell us we need to use the PIX 506 > plus a 2000 server running ISA for the firewall/VPN. I get the > impression that the 506 is not big enough and that a 515 is more > suitable. > > I have looked around on vpnlabs.org and found a lot of info but > still need a dummies guide to VPN. > > Thanks all, > > Kevin Phillips > IT Systems technician > Barco Graphics > 40 Westover Road > Ludlow, MA 01056 > kevin.phillips at barco.com There are two common VPN situations, and you will be using both: LAN-to-LAN to connect between offices, and Remote Access to support your home/road users. It seems to me that you could use *either* a PIX or an ISA server to support both kinds of use; you will need a device in each of your three offices, and if it's the PIX then you may also need to distribute client software to your home/road users. (OR, if not actual software, at least instructions on how to connect....) I cannot imagine a working solution that uses a total of two devices, of different types. Can your parent company group provide more details of what they have in mind? As for what model of PIX, the determining factor is probably how much Internet bandwidth you have at each office. I wouldn't expect the PIX to be the bottleneck. Dave Gillett VPN is sponsored by SecurityFocus.com From Dan.McGinn-Combs at geac.com Mon Jan 21 07:10:45 2002 From: Dan.McGinn-Combs at geac.com (Dan McGinn-Combs) Date: Mon, 21 Jan 2002 07:10:45 -0500 Subject: [vpn] OpenBSD VPN compatiblity with other commercial VPNs Message-ID: <67E150D4D792D411A7B900D0B74D55A204DD147A@atlexg02.gama.us.geac.com> Of course, I haven't worked with either of those systems you mention, but that's not going to stop me from yakking about it. :-) I recently set up a VPN between OpenBSD (3.0) and Checkpoint (4.1). It worked without any hassles. I was pleasantly surprised since my previous experience was with FreeSwan on RedHat. As good as it is, FreeSwan's step one is "recompile and reinstall your kernel." That wasn't something I really wanted to do, and it was complex enough... All I really wanted was a VPN! Dan -----Original Message----- From: Sam Wun [mailto:samwun at yahoo.com] Sent: Sunday, January 20, 2002 11:45 PM To: vpn at securityfocus.com Subject: [vpn] OpenBSD VPN compatiblity with other commercial VPNs Hi, I am wondering whether OpenBSD VPN is compatible with other commercial VPNs such as NetScreen, ServGate? I am using OpenBSD 3.0 at the moment. Thanks sam __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From djdawso at qwest.com Mon Jan 21 12:32:56 2002 From: djdawso at qwest.com (Dana J. Dawson) Date: Mon, 21 Jan 2002 11:32:56 -0600 Subject: [vpn] Planing a VPN - Are we doing the best thing ? References: <614780D1A9E7D21195970060976A10C14F374F@ludmex01.barco.com> Message-ID: <3C4C50C8.D4457B76@qwest.com> You can do the site-to-site stuff with the PIX, but the 506 is limited to 25 total VPN peers, including VPN clients (this was changed in the PIX 6.1 software - the old limit was 4 peers, but that conflicted with the new PIX 501). Whether this is enough to support your pool of users is tough to say. I usually scale VPN hardware by the bandwidth of encrypted traffic required, at least as a first rough estimate. The PIX 506 CPU is fast enough to do about 6 Mbits of 3DES (the Cisco numbers vary on this), so even if you have a T1 you'll probably be ok, especially if your encrypted traffic is only part of the traffic through the PIX. You're more likely to run into feature limits with the VPN client support, since the PIX doesn't support all the features that a dedicated VPN concentrator does. The biggest missing feature is IPSec through NAT, which is a pretty common requirement with all the DSL and cable modems out there. With a pool of around 30 users you're kind of on the border line of where a concentrator is worth the cost. A Cisco 3000 series concentrator starts at around $4000, and there are cheaper ones from other vendors, so shop around. HTH Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." "Phillips, Kevin" wrote: > > I have an office of 35 people and need to connect to 2 other offices of > similar size. We will also have about 30 people total that will need access > from home and on the road. > The parent company IT group tell us we need to use the PIX 506 plus a 2000 > server running ISA for the firewall/VPN. I get the impression that the 506 > is not big enough and that a 515 is more suitable. > I have looked around on vpnlabs.org and found a lot of info but still need a > dummies guide to VPN. > Thanks all, > > Kevin Phillips > IT Systems technician > Barco Graphics > 40 Westover Road > Ludlow, MA 01056 > kevin.phillips at barco.com > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From sandy at storm.ca Mon Jan 21 12:50:20 2002 From: sandy at storm.ca (Sandy Harris) Date: Mon, 21 Jan 2002 12:50:20 -0500 Subject: [vpn] OpenBSD VPN compatiblity with other commercial VPNs References: <67E150D4D792D411A7B900D0B74D55A204DD147A@atlexg02.gama.us.geac.com> Message-ID: <3C4C54DC.A65E96CF@storm.ca> Dan McGinn-Combs wrote: > I recently set up a VPN between OpenBSD (3.0) and Checkpoint (4.1). It > worked without any hassles. I was pleasantly surprised since my previous > experience was with FreeSwan on RedHat. As good as it is, FreeSwan's step > one is "recompile and reinstall your kernel." That wasn't something I really > wanted to do, and it was complex enough... All I really wanted was a VPN! We're working on that. Currently you can download RPMs for Redhat 7.1 with FreeS/WAN 1.91 from: http://rpms.steamballoon.com/freeswan/ That work is being integrated into the FreeS/WAN build process. Currently, all it does is allow you to do the whole complex FreeS/WAN install on one machine and then use that machine to build RPMs to install on your other machines. That's quite handy if you need to install on a dozen firewalls, but not much use otherwise. Pre-compiled RPMs should become available on the FreeS/WAN FTP site Real Soon Now. Of course, you can avoid the whole problem by just using a distribution with FreeS/WAN built in. Here's a list: http://www.freeswan.org/freeswan_trees/freeswan-1.94/doc/intro.html#products I'm not sure Debian should be on that list. It is commented out in the source, became visible due to a bug in the HTML processing. VPN is sponsored by SecurityFocus.com From scure at redbulltech.com Tue Jan 22 13:52:27 2002 From: scure at redbulltech.com (sam) Date: Tue, 22 Jan 2002 13:52:27 -0500 Subject: [vpn] Planing a VPN - Are we doing the best thing ? In-Reply-To: <3C4C50C8.D4457B76@qwest.com> Message-ID: <000001c1a375$f0962f40$3201a8c0@horns> May I suggest using Nokia's CryptoCluster for gateway to gateway, client to gateway, and gateway to non managed 3rd party gateway (PIX). The CryptoCluster is extremely strong and supports virtually unlimited clients. The only client it doesn't support is Win 95.. DARN :(. CryptoCluster's management auto generates the policy elevating huge headaches when setting up policies. It also has built in RSA certificate authority so you can cut unlimited CAs. This solution is extremely scalable and affordable. Hope this helps. Feel free to contact me directly if you need more information (scure at redbulltech.com). -----Original Message----- From: Dana J. Dawson [mailto:djdawso at qwest.com] Sent: Monday, January 21, 2002 12:33 PM To: Phillips, Kevin Cc: 'vpn at securityfocus.com' Subject: Re: [vpn] Planing a VPN - Are we doing the best thing ? You can do the site-to-site stuff with the PIX, but the 506 is limited to 25 total VPN peers, including VPN clients (this was changed in the PIX 6.1 software - the old limit was 4 peers, but that conflicted with the new PIX 501). Whether this is enough to support your pool of users is tough to say. I usually scale VPN hardware by the bandwidth of encrypted traffic required, at least as a first rough estimate. The PIX 506 CPU is fast enough to do about 6 Mbits of 3DES (the Cisco numbers vary on this), so even if you have a T1 you'll probably be ok, especially if your encrypted traffic is only part of the traffic through the PIX. You're more likely to run into feature limits with the VPN client support, since the PIX doesn't support all the features that a dedicated VPN concentrator does. The biggest missing feature is IPSec through NAT, which is a pretty common requirement with all the DSL and cable modems out there. With a pool of around 30 users you're kind of on the border line of where a concentrator is worth the cost. A Cisco 3000 series concentrator starts at around $4000, and there are cheaper ones from other vendors, so shop around. HTH Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." "Phillips, Kevin" wrote: > > I have an office of 35 people and need to connect to 2 other offices of > similar size. We will also have about 30 people total that will need access > from home and on the road. > The parent company IT group tell us we need to use the PIX 506 plus a 2000 > server running ISA for the firewall/VPN. I get the impression that the 506 > is not big enough and that a 515 is more suitable. > I have looked around on vpnlabs.org and found a lot of info but still need a > dummies guide to VPN. > Thanks all, > > Kevin Phillips > IT Systems technician > Barco Graphics > 40 Westover Road > Ludlow, MA 01056 > kevin.phillips at barco.com > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 VPN is sponsored by SecurityFocus.com From TomM at spectrum-systems.com Mon Jan 21 16:00:32 2002 From: TomM at spectrum-systems.com (Tom McHugh) Date: Mon, 21 Jan 2002 16:00:32 -0500 Subject: [vpn] Checkpoint/Netscreen VPN IKE Error Messages Message-ID: <2A0DB5123A51874C82699788F0985ED2064967@sith.spectrum-systems.com> I happened to run across this bug report in the release notes for the latest version of NetScreen's OS. The problem reported was that Checkpoint didn't delete the SA for Phase 2 when the NetScreen sent a message to it to delete *both* Phase 1 and Phase 2 SAs. This is still reported in the current version of NetScreen's OS, but no mention is made about CheckPoint's version or any work-around. Hope that helps, Tom McHugh, Senior Systems Engineer mailto:tomm at spectrum-systems.com Spectrum Systems, Inc. "Today's Technology--Solutions for Tomorrow" 11320 Random Hills Road, Suite 630 Fairfax, VA 22030-6001 703-591-7400 x218 703-591-9780 (Fax) http://www.spectrum-systems.com/ Concerned about the security of your network? Spectrum Systems' Network Security products and services can take the worry out of protecting your network. Call us at 800-929-3781 or visit us at http://www.spectrum-systems.com to learn more. > -----Original Message----- > From: dparmer at dsscorp.com [mailto:dparmer at dsscorp.com] > Sent: Monday, January 14, 2002 9:17 AM > To: vpn at securityfocus.com > Subject: [vpn] Checkpoint/Netscreen VPN IKE Error Messages > > > Hello, > > We are having trouble for the past few weeks trying to get a > Netscreen 5 to > an NT 4.0 Checkpoint 4.1 SP5 site to site VPN operational. > Generally IKE > Phase 1 completes between the firewalls, but only very > infrequently does > IKE Phase 2 compete between the firewalls, according to the > Checkpoint and > Netscreen logs. When Phase 2 does complete, outbound traffic > is encrypted > but the return decrypts do not come back. We have encryption schemes > identical for Phase 1 & Phase 2 between the Checkpoint & > Netscreen boxes. > When Phase 2 does not complete, messages in the log viewer include > "Received delete SA from Peer" and "Received Notification from Peer: > payload malformed", with the source address being the > Checkpoint firewall > and the destination being the Netscreen. > > Just for kicks, we tried creating a VPN connection to two > other Checkpoint > 4.1 sites (one had NT 4.0 using 4.1 SP2 and another had W2K > using 4.1 SP5) > using the same Netscreen 5 box with identical encryption > properties, and > both Phase 1 & Phase 2 became operational, and traffic was > being encrypted > and decrypted in both directions. Thus I eliminated the > possibility that > the Netscreen may be the issue. > > I then compared a few files on the various firewalls (crypt.def, > objects.C), and could not find anything except cosmetic items > that were > different. I also tried the various debugging tools (fw > monitor, fw -d d, > FWIKE_DEBUG), and have examined the resultant file output, > and was not able > to decipher anything enlightening from these files, although > I must admit > that I don't know exactly what kind of packet flow or > sequencing I should > be looking for. > > Thanks in advance for any assistance. > > ============================ > Dave Parmer > Distributed Systems Services > 610-927-2026 > dparmer at dsscorp.com > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From itsd2001 at hotmail.com Mon Jan 21 23:01:38 2002 From: itsd2001 at hotmail.com (itsd itsd) Date: Mon, 21 Jan 2002 23:01:38 -0500 Subject: [vpn] OSPF through the VPN link "IPSEC" Message-ID: Hi, Did IPSEC support yet multicast "OSPF" ? Thanks _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com VPN is sponsored by SecurityFocus.com From Alan.Trevillion at bankofamerica.com Tue Jan 22 04:42:52 2002 From: Alan.Trevillion at bankofamerica.com (Trevillion, Alan) Date: Tue, 22 Jan 2002 09:42:52 +0000 Subject: [vpn] FW: IPSEc and IKE documentation ? Message-ID: <711B34371492D411908B00508BF9BE2E010E085D@ecu.bankofamerica.com> I have tried reading the RFC's but the explanation seemed to skip what was actually happening when 2 IPSec devices try to setup an IKE and IPSec SA. I just wondered if there were any diagrams that showed process flows. The RFC's I found seem to overcomplicate and just refer to other legal documentation. As you can guess this subject is relatively new to me. Alan -----Original Message----- From: Jose Muniz [mailto:jmuniz at loudcloud.com] Sent: 22 January 2002 00:59 To: Trevillion, Alan Cc: vpn at securityfocus.com Subject: Re: [vpn] FW: IPSEc and IKE documentation ? Read the RFC's/ Jose. "Trevillion, Alan" wrote: > > -----Original Message----- > > From: Trevillion, Alan > > Sent: 15 January 2002 10:49 > > To: 'vpn at securityfocus.com' > > Subject: IPSEc and IKE documentation ? > > > > > > I just wondered if the are any > > > schematic diagrams that show the process and packet flow of IKE initial > > > communication and IPSec SA connections ? , it seems very hard to get > > good > > > documentation on this. > > > > > > Thanks in advance > > > > > > -Alan > > > > > _____________________________________________________________________ > Notice to recipient: > This e-mail is meant for only the intended recipient of the transmission, > and may be a communication privileged by law. If you received this e-mail in > error, any review, use, dissemination, distribution, or copying of this > e-mail is strictly prohibited. > > When addressed to our clients any opinions or advice contained in this > internet e-mail are subject to the terms and conditions expressed in any > applicable governing terms of business or client engagement letter issued by > Bank of America. > > Both Bank of America, N.A and Banc of America Securities Limited are > regulated by The Financial Services Authority. > _____________________________________________________________________ > > VPN is sponsored by SecurityFocus.com _____________________________________________________________________ Notice to recipient: This e-mail is meant for only the intended recipient of the transmission, and may be a communication privileged by law. If you received this e-mail in error, any review, use, dissemination, distribution, or copying of this e-mail is strictly prohibited. When addressed to our clients any opinions or advice contained in this internet e-mail are subject to the terms and conditions expressed in any applicable governing terms of business or client engagement letter issued by Bank of America. Both Bank of America, N.A and Banc of America Securities Limited are regulated by The Financial Services Authority. _____________________________________________________________________ VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Tue Jan 22 05:07:47 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Tue, 22 Jan 2002 04:07:47 -0600 (CST) Subject: [vpn] FW: IPSEc and IKE documentation ? In-Reply-To: <711B34371492D411908B00508BF9BE2E010E085D@ecu.bankofamerica.com> Message-ID: Alan -- You might want to take a look at http://kubarb.phsx.ukans.edu/~tbird/vpn/ipsec_troubleshooting.pdf These are my notes on *duh* how to figure out what's going wrong with an IPsec connection, and it includes a bit of background information on how connections get built. My students say it's one of the most helpful parts of my VPN class. I am one of the most graphically challenged people on the planet, so it doesn't have many pictures, but there are a couple. My other favorite reference on IPsec is http://www.timestep.com/doctypes/technewbridgenote/ipsec/index.jhtml With all the financial contortions Timestep's been through in the last four years, I'm delighted this is still on line. Again, there aren't tons of pictures -- maybe you can figure it out and create the first good ones! -- but it's a >wonderful< introduction. HTH - tbird On Tue, 22 Jan 2002, Trevillion, Alan wrote: > I have tried reading the RFC's but the explanation seemed to skip what was > actually happening when 2 IPSec devices try to setup an IKE and IPSec SA. I > just wondered if there were any diagrams that showed process flows. The > RFC's I found seem to overcomplicate and just refer to other legal > documentation. As you can guess this subject is relatively new to me. > > Alan > VPN is sponsored by SecurityFocus.com From mikey at werzowa.at Tue Jan 22 10:13:55 2002 From: mikey at werzowa.at (Karl-Michael Werzowa) Date: Tue, 22 Jan 2002 16:13:55 +0100 Subject: [vpn] FW: IPSEc and IKE documentation ? Message-ID: Hello, Alan! Your problems are quite understandable; ipsec seems to be overcomplicated (a typical committee-work, as Bruce Schneider stated ;-) What I found quite helpful is: (from very simple (1), management overview to deep into tech details(10)) http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.htm (1) http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/toc.html (3 to 9) though based only on FreeS/WAN, very extensive, lots of great links. http://www.vpnc.org/white-papers.html (1 to 7, depending on links you follow) http://www.ietf.org/html.charters/ipsec-charter.html (3-10) (you may know this...) To your amusement and for anyone who thinks RFCs are holy texts: http://www.counterpane.com/ipsec.html (VERY informative! though it does not really help you in configuring IPSec) (2-10) Books: William Stallings, Crytography and Network Security, 2nd Ed Prentice Hall, pgs.399-432, (3 - 8) Manfred Lipp, VPN - Virtuelle Private Netzwerke, Addison-Wesley (3 - 9) --- this book is great, but in German. If you want, I could send you scans of the really informative Illustrations... (...think that I got quite a lot of books on this theme, but the others I would not even mention --- though the CISCO-literature helps a lot, if you use CISCO-equipment --- e.g. "CISCO IOS 12.0 Network Security") Best regards, Michael Werzowa Am Dienstag den, 22. Januar 2002, um 10:42, schrieb Trevillion, Alan: I have tried reading the RFC's but the explanation seemed to skip what was actually happening when 2 IPSec devices try to setup an IKE and IPSec SA. I just wondered if there were any diagrams that showed process flows. The RFC's I found seem to overcomplicate and just refer to other legal documentation. As you can guess this subject is relatively new to me. Alan .............. ************************************************************************** Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 mikey at werzowa.at, michael.werzowa at bmi.gv.at ************************************************************************** VPN is sponsored by SecurityFocus.com From jfranco at mundo-R.net Tue Jan 22 07:32:54 2002 From: jfranco at mundo-R.net (Franco Sabaris, Javier) Date: Tue, 22 Jan 2002 13:32:54 +0100 Subject: [vpn] Netscreen and dynamic IP Message-ID: <590B308051CDD511999600065B057E500146DF@COR0000S012> Hi! I need to set up a VPN that uses ADSL/Cable in the remote sites. These ADSL/Cable services don't provide a fixed IP address. The IP address is dynamic. The central site has a fixed IP. I would like to use Netscreen hardware devices both in the central site and in the remote sites. Is it possible to configure the Netscreen 5xp to use dynamic addresses in the remote sites? Has anybody tried such a configuration? Sa?dos, Xavo VPN is sponsored by SecurityFocus.com From dparmer at dsscorp.com Tue Jan 22 15:33:53 2002 From: dparmer at dsscorp.com (dparmer at dsscorp.com) Date: Tue, 22 Jan 2002 15:33:53 -0500 Subject: [vpn] Checkpoint/Netscreen VPN IKE Error Messages Message-ID: Thanks for all who have contributed advice. Unfortunately I still don't have a working solution. I installed another test NT server running CP 4.1 SP5 on the same networks, using the identical Checkpoint policy and the same Netscreen box and policy on the other end, and the VPN site-to-site came up fine with both Phase 1 and Phase 2. The MTU sizes on the NIC cards were set the same - only items different from the production box were the IP addresses on the interfaces and the NT 4.0 SP5 on the test box instead of NT SP6a. The production box had an Accelerator card (Broadcom card), and I removed that, and had the same problem. I even reinstalled Checkpoint 4.1 from scratch on the production server with the appropriate SPs and Hotfixes, copying over only the rulebases.fws, objects.C, standard.W, and the fwauth.NBD files, from the original install, and I got the same results. Since I also tried another CP firewall on a different ISP and got that one working, it must be something specific with this server. I discovered that a couple Securemote users on Ethernet connections seem to be having connection timeout problems, and I saw similiar Payload malformed messages for them in the log viewer. However, the connections do go through most of the time, another CP to CP site-to-site connection on the production box is working fine. Below is summary of the log viewer message sequence (CP Checkpoint, NS Netscreen) Action Source Destination Info key install CP FW NS FW IKE Log: Phase 1 completion 3DES/SHA1/Pre-Shared secrets.... key install CP FW NS FW Combined ESP: 3DES+SHA1 (Phase 2 completion) for subnet: CP subnet & NS subnet encrypt CP Internal PC NS Internal PC icmp-type 8 IKE Methods: Combined ESP: 3DES+SHA1 key install CP FW NS FW IKE Log: Received Notification from Peer: Payload Malformed... key install CP FW NS FW IKE Log: Received Delete SA from Peer: NS IP .... ================= Dave Parmer Senior Network Engineer Distributed Systems Services www.dsscorp.com 610-927-2026 dparmer at dsscorp.com Tom McHugh , stems.com> vpn at securityfocus.com cc: 01/21/2002 04:00 Subject: RE: [vpn] Checkpoint/Netscreen VPN IKE Error Messages PM I happened to run across this bug report in the release notes for the latest version of NetScreen's OS. The problem reported was that Checkpoint didn't delete the SA for Phase 2 when the NetScreen sent a message to it to delete *both* Phase 1 and Phase 2 SAs. This is still reported in the current version of NetScreen's OS, but no mention is made about CheckPoint's version or any work-around. Hope that helps, Tom McHugh, Senior Systems Engineer mailto:tomm at spectrum-systems.com Spectrum Systems, Inc. "Today's Technology--Solutions for Tomorrow" 11320 Random Hills Road, Suite 630 Fairfax, VA 22030-6001 703-591-7400 x218 703-591-9780 (Fax) http://www.spectrum-systems.com/ Concerned about the security of your network? Spectrum Systems' Network Security products and services can take the worry out of protecting your network. Call us at 800-929-3781 or visit us at http://www.spectrum-systems.com to learn more. > -----Original Message----- > From: dparmer at dsscorp.com [mailto:dparmer at dsscorp.com] > Sent: Monday, January 14, 2002 9:17 AM > To: vpn at securityfocus.com > Subject: [vpn] Checkpoint/Netscreen VPN IKE Error Messages > > > Hello, > > We are having trouble for the past few weeks trying to get a > Netscreen 5 to > an NT 4.0 Checkpoint 4.1 SP5 site to site VPN operational. > Generally IKE > Phase 1 completes between the firewalls, but only very > infrequently does > IKE Phase 2 compete between the firewalls, according to the > Checkpoint and > Netscreen logs. When Phase 2 does complete, outbound traffic > is encrypted > but the return decrypts do not come back. We have encryption schemes > identical for Phase 1 & Phase 2 between the Checkpoint & > Netscreen boxes. > When Phase 2 does not complete, messages in the log viewer include > "Received delete SA from Peer" and "Received Notification from Peer: > payload malformed", with the source address being the > Checkpoint firewall > and the destination being the Netscreen. > > Just for kicks, we tried creating a VPN connection to two > other Checkpoint > 4.1 sites (one had NT 4.0 using 4.1 SP2 and another had W2K > using 4.1 SP5) > using the same Netscreen 5 box with identical encryption > properties, and > both Phase 1 & Phase 2 became operational, and traffic was > being encrypted > and decrypted in both directions. Thus I eliminated the > possibility that > the Netscreen may be the issue. > > I then compared a few files on the various firewalls (crypt.def, > objects.C), and could not find anything except cosmetic items > that were > different. I also tried the various debugging tools (fw > monitor, fw -d d, > FWIKE_DEBUG), and have examined the resultant file output, > and was not able > to decipher anything enlightening from these files, although > I must admit > that I don't know exactly what kind of packet flow or > sequencing I should > be looking for. > > Thanks in advance for any assistance. > > ============================ > Dave Parmer > Distributed Systems Services > 610-927-2026 > dparmer at dsscorp.com > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From jdeshaies at pfn.com Tue Jan 22 11:16:50 2002 From: jdeshaies at pfn.com (Jane Deshaies) Date: Tue, 22 Jan 2002 11:16:50 -0500 Subject: [vpn] OSPF through the VPN link "IPSEC" Message-ID: <40E27CB80FF6D411915B0008C74CCE2C69DAF9@exchange.tcloud.net> Yes, we use Zebra. www.zebra.org. Cheers! Jane -----Original Message----- From: itsd itsd [mailto:itsd2001 at hotmail.com] Sent: Monday, January 21, 2002 11:02 PM To: vpn at securityfocus.com Subject: [vpn] OSPF through the VPN link "IPSEC" Hi, Did IPSEC support yet multicast "OSPF" ? Thanks _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From JohnC at hcarr.com Tue Jan 22 12:10:59 2002 From: JohnC at hcarr.com (John Clark) Date: Tue, 22 Jan 2002 12:10:59 -0500 Subject: [vpn] either L2TP or IPSEC between Windows 2000 and a speedstream route r Message-ID: <4153089FC906D511B08A00A0CCDA3E040C3853@hcarrexch.hcarr.com> Has anyone setup either L2TP or IPSEC between a Speedstream 5800 series router and a Microsoft 2000 VPN Server? I have looked at microsoft's site and www.efficient.com site and could not find anything remotely showing help to configuring both. If anyone has any ideas please email me. Thanks, John VPN is sponsored by SecurityFocus.com From phil at vpnlabs.org Tue Jan 22 17:39:52 2002 From: phil at vpnlabs.org (Phil McGarr) Date: Tue, 22 Jan 2002 14:39:52 -0800 Subject: [vpn] Netscreen and dynamic IP In-Reply-To: <590B308051CDD511999600065B057E500146DF@COR0000S012> Message-ID: Franco, I recommend using No-Ip's free service at http://www.no-ip.com/ . cheers, Phil http://www.vpnlabs.org/ -----Original Message----- From: Franco Sabaris, Javier [mailto:jfranco at mundo-R.net] Sent: Tuesday, January 22, 2002 4:33 AM To: vpn at securityfocus.com Subject: [vpn] Netscreen and dynamic IP Hi! I need to set up a VPN that uses ADSL/Cable in the remote sites. These ADSL/Cable services don't provide a fixed IP address. The IP address is dynamic. The central site has a fixed IP. I would like to use Netscreen hardware devices both in the central site and in the remote sites. Is it possible to configure the Netscreen 5xp to use dynamic addresses in the remote sites? Has anybody tried such a configuration? Sa?dos, Xavo VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From britts at alexmo.com Tue Jan 22 18:03:19 2002 From: britts at alexmo.com (Glen Brittle) Date: Tue, 22 Jan 2002 18:03:19 -0500 Subject: [vpn] Netscreen and dynamic IP References: Message-ID: <3C4DEFB7.99BCD956@alexmo.com> Franco, I currently use a Netscreen N5 at work and I use Netscreen Remote at home with a Cable connection. I only turn up the vpn at home when I need to use it. It is one sided though. Glen Brittle Phil McGarr wrote: > Franco, > I recommend using No-Ip's free service at http://www.no-ip.com/ . > > cheers, > Phil > http://www.vpnlabs.org/ > > -----Original Message----- > From: Franco Sabaris, Javier [mailto:jfranco at mundo-R.net] > Sent: Tuesday, January 22, 2002 4:33 AM > To: vpn at securityfocus.com > Subject: [vpn] Netscreen and dynamic IP > > Hi! > > I need to set up a VPN that uses ADSL/Cable in the remote sites. > > These ADSL/Cable services don't provide a fixed IP address. The IP address > is dynamic. > The central site has a fixed IP. > > I would like to use Netscreen hardware devices both in the central site and > in the remote sites. > > Is it possible to configure the Netscreen 5xp to use dynamic addresses in > the remote sites? Has anybody tried such a configuration? > > Sa?dos, > Xavo > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com -------------- next part -------------- VPN is sponsored by SecurityFocus.com From jmorris at graycary.com Tue Jan 22 18:51:37 2002 From: jmorris at graycary.com (Morris, Jason) Date: Tue, 22 Jan 2002 15:51:37 -0800 Subject: [vpn] Netscreen and dynamic IP Message-ID: <27908515C23BF34791523AA6210DF40804CC2497@sanmail1.sd.internal> Franco, We do exactly this with roughly 250 home users right now. The remote device is configured as if it were a dial-up client, so the connection is one way. It is an expensive solution but fast and reliable. There is also the benefit of not needing to support an IPSec client on non-company hardware/configs. Our users were routinely nuking the software VPN with the latest internet download or AOL upgrade, etc. If you need an example config file I would be happy to send you one. Jason Morris, Security Analyst GRAYCARY. TECHNOLOGY'S LEGAL EDGE Voice: 619.699.3574 jmorris at graycary.com -----Original Message----- From: Franco Sabaris, Javier [mailto:jfranco at mundo-R.net] Sent: Tuesday, January 22, 2002 4:33 AM To: vpn at securityfocus.com Subject: [vpn] Netscreen and dynamic IP Hi! I need to set up a VPN that uses ADSL/Cable in the remote sites. These ADSL/Cable services don't provide a fixed IP address. The IP address is dynamic. The central site has a fixed IP. I would like to use Netscreen hardware devices both in the central site and in the remote sites. Is it possible to configure the Netscreen 5xp to use dynamic addresses in the remote sites? Has anybody tried such a configuration? Sa?dos, Xavo VPN is sponsored by SecurityFocus.com ----------------------------------------------------------------------------- [INFO] -- Content Manager: NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. To contact our email administrator directly, send to postmaster at graycary.com Thank you. ----------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.com From scure at redbulltech.com Tue Jan 22 18:59:39 2002 From: scure at redbulltech.com (sam) Date: Tue, 22 Jan 2002 18:59:39 -0500 Subject: [vpn] Netscreen and dynamic IP In-Reply-To: <590B308051CDD511999600065B057E500146DF@COR0000S012> Message-ID: <001301c1a3a0$db2192f0$3201a8c0@horns> Well, As long as the central site has fixed IPs and the remote sites initiate the VPN connection, your ok. No need for other services to take part of the pie. :) -----Original Message----- From: Franco Sabaris, Javier [mailto:jfranco at mundo-R.net] Sent: Tuesday, January 22, 2002 7:33 AM To: vpn at securityfocus.com Subject: [vpn] Netscreen and dynamic IP Hi! I need to set up a VPN that uses ADSL/Cable in the remote sites. These ADSL/Cable services don't provide a fixed IP address. The IP address is dynamic. The central site has a fixed IP. I would like to use Netscreen hardware devices both in the central site and in the remote sites. Is it possible to configure the Netscreen 5xp to use dynamic addresses in the remote sites? Has anybody tried such a configuration? Sa?dos, Xavo VPN is sponsored by SecurityFocus.com --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 VPN is sponsored by SecurityFocus.com From lisa at corecom.com Tue Jan 22 18:54:29 2002 From: lisa at corecom.com (Lisa Phifer) Date: Tue, 22 Jan 2002 18:54:29 -0500 Subject: [vpn] Netscreen and dynamic IP In-Reply-To: <590B308051CDD511999600065B057E500146DF@COR0000S012> Message-ID: <4.2.0.58.20020122185309.009d6250@mail2.netreach.net> At 01:32 PM 1/22/2002 +0100, Franco Sabaris, Javier wrote: >I would like to use Netscreen hardware devices both in the central site and >in the remote sites. > >Is it possible to configure the Netscreen 5xp to use dynamic addresses in >the remote sites? Has anybody tried such a configuration? Yes, you can use a dynamic IP for your WAN interface on the NS5XP and configure a VPN to this dynamic address in your central (some other model) NetScreen. The tunnel can only be initiated by the 5XP, of course. VPN is sponsored by SecurityFocus.com From jmuniz at loudcloud.com Tue Jan 22 20:41:14 2002 From: jmuniz at loudcloud.com (Jose Muniz) Date: Tue, 22 Jan 2002 17:41:14 -0800 Subject: [vpn] Netscreen and dynamic IP References: <590B308051CDD511999600065B057E500146DF@COR0000S012> Message-ID: <3C4E14BA.5DFB5966@loudcloud.com> Yes, it is possible. You could use an identity as an identifier, instead of a unicast IP address. However you are only going to be able to initiate connections in one direction, once the SA's are established you can have flows in both directions if the policy say so. Here is a sample for ya: set ike gateway "GATEWAY_NAME" ip 0.0.0.0 id "jane at no-ip.net" Aggr preshare "PRESHARED_SECRET" proposal "pre-g2-3des-md5" To tight it up a bit you could also enable authentication. It works well. Jose. "Franco Sabaris, Javier" wrote: > Hi! > > I need to set up a VPN that uses ADSL/Cable in the remote sites. > > These ADSL/Cable services don't provide a fixed IP address. The IP address > is dynamic. > The central site has a fixed IP. > > I would like to use Netscreen hardware devices both in the central site and > in the remote sites. > > Is it possible to configure the Netscreen 5xp to use dynamic addresses in > the remote sites? Has anybody tried such a configuration? > > Sa?dos, > Xavo > > VPN is sponsored by SecurityFocus.com -- Jose Muniz Network Engineering Loudcloud, Inc. (408)744-7583 Direct page-jmuniz at loudcloud.com ------------------------- http://www.loudcloud.com VPN is sponsored by SecurityFocus.com From Markwat at aol.com Tue Jan 22 21:06:54 2002 From: Markwat at aol.com (Markwat at aol.com) Date: Tue, 22 Jan 2002 21:06:54 EST Subject: [vpn] vpn question Message-ID: <72.16675b2e.297f74be@aol.com> I have a 5 branch company with 50 pc's throughout. Headquarters has 34, and there are 4 in each of the others. We are on a Windows NT network, and our locations are connected by frame relay at 64 Kbps. We utilize VoIP. To save money, and give me the ability to get higher bandwidth, I would like to get rid of the frame relay, and switch to a VPN. I have done a lot of research, but am still confused as to whether I can simply implement Windows NT (or Windows 2000) software VPN, or if I need to implement a hardware based VPN. I also am considering the possiblity of outsourcing. Can you offer me some advice? VPN is sponsored by SecurityFocus.com From prasanna_bs at vsnl.com Wed Jan 23 06:30:27 2002 From: prasanna_bs at vsnl.com (B. S. Prasanna) Date: Wed, 23 Jan 2002 17:00:27 +0530 Subject: [vpn] Datasheets and Understading?? Message-ID: <3C4E9ED2.259F19D9@vsnl.com> Hi! I am at cross road to make some important decision on the use of crypro silicon and systems. I see the climes like X thousand VPN tunnels and Y thousands concurrent Secessions. Another question, out of the contest, does the word tunnel under IPSec is same as in MPLS?? Does every one mean the same definition? can any one enlighten me with global definition and the climes. Thanks Prasanna -------------- next part -------------- VPN is sponsored by SecurityFocus.com From scure at redbulltech.com Wed Jan 23 10:40:14 2002 From: scure at redbulltech.com (sam) Date: Wed, 23 Jan 2002 10:40:14 -0500 Subject: [vpn] vpn question In-Reply-To: <72.16675b2e.297f74be@aol.com> Message-ID: <001b01c1a424$41233990$3201a8c0@horns> Here are some thoughts... For software solution: InfoExpress (http://www.infoexpress.com/products/vpn/index.html) has software solution that sits on a dedicated Windows box and supports practically everything. For Hardware solution: I recommend the Nokia CryptoCluster series for site to site, client to site, and site to 3rd party unmanaged site for its bandwidth, policy management, and pricing. Hope this helps. Feel free to contact me for any more information. -----Original Message----- From: Markwat at aol.com [mailto:Markwat at aol.com] Sent: Tuesday, January 22, 2002 9:07 PM To: vpn at securityfocus.com Subject: [vpn] vpn question I have a 5 branch company with 50 pc's throughout. Headquarters has 34, and there are 4 in each of the others. We are on a Windows NT network, and our locations are connected by frame relay at 64 Kbps. We utilize VoIP. To save money, and give me the ability to get higher bandwidth, I would like to get rid of the frame relay, and switch to a VPN. I have done a lot of research, but am still confused as to whether I can simply implement Windows NT (or Windows 2000) software VPN, or if I need to implement a hardware based VPN. I also am considering the possiblity of outsourcing. Can you offer me some advice? VPN is sponsored by SecurityFocus.com --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 VPN is sponsored by SecurityFocus.com From sandy at storm.ca Wed Jan 23 10:54:26 2002 From: sandy at storm.ca (Sandy Harris) Date: Wed, 23 Jan 2002 10:54:26 -0500 Subject: [vpn] vpn question References: <72.16675b2e.297f74be@aol.com> Message-ID: <3C4EDCB2.9FAF8B8D@storm.ca> Markwat at aol.com wrote: > > I have a 5 branch company with 50 pc's throughout. Headquarters has 34, and > there are 4 in each of the others. We are on a Windows NT network, and our > locations are connected by frame relay at 64 Kbps. We utilize VoIP. I would suggest you should use IPsec, although I believe earlier Windows versions offer some VPN functionality via PPTP. See www.counterpane.com for papers describing serious flaws in PPTP. 2000 and XP, but not NT or 9x/ME, include IPsec. So do many firewall packages including some for NT, many routers, various dedicated boxes, ... > To save money, and give me the ability to get higher bandwidth, I would > like to get rid of the frame relay, and switch to a VPN. I have done a lot of > research, but am still confused as to whether I can simply implement Windows > NT (or Windows 2000) software VPN, or if I need to implement a hardware based > VPN. I also am considering the possiblity of outsourcing. Can you offer me > some advice? For a network of that size, and moderate bandwidth, you could certainly use software, given some reasonable boxes as the gateways. Some estimates of software performance -- for a Linux IPsec, but 2000 or XP shouldn't be too different -- are at: http://www.freeswan.org/freeswan_trees/freeswan-1.94/doc/performance.html That you could use software does not necessarily mean you should. Some IPsec products are "only clients", they will do IPsec for the machine they are installed on, but will not work as a gateway doing IPsec for a network behind them. I have been told Windows 2000 Pro is in this category so you have to buy the server version for gateway applications. (Someone who does more Windows work than I please leap in and confirm or correct this!) If that is the case, buying a dedicated VPN box may be cheaper than doing it with Windows. Even if it costs more, the dedicated box may be easier to administer. Also, check with the vendors of whatever routers and firewall products you use. Most of these now offer IPsec, and several provide methods of integrating with NT security management. Likely othewise surplus PCs running an Open Source IPsec implementation could handle this. This would be a reasonable choice if you have some Unix expertise in the shop, likely not otherwise. www.freeswan.org for Linux Ipsec, or any of freebsd.org netbsd.org or openbsd.org. VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Jan 23 09:39:35 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 23 Jan 2002 08:39:35 -0600 (CST) Subject: [vpn] vpn question In-Reply-To: <001b01c1a424$41233990$3201a8c0@horns> Message-ID: I feel obliged to point out that the totally rockin' InfoExpress solution runs on a variety of UNIX boxes, not just Windows systems. The server, that is; clients are available for various Win flavors, Linux, Solaris, and sometimes Machintoshes. The main win in my book for their product is that it's >not< IPsec -- which is often a problematic set of protocols for remote access VPN users. It's TCP-based and really easy to use inside a firewalled or NAT'ted environment. tbird "I was being patient, but it took too long." - Anya, "Buffy the Vampire Slayer" Log Analysis: http://www.counterpane.com/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html On Wed, 23 Jan 2002, sam wrote: > Here are some thoughts... > > For software solution: > InfoExpress (http://www.infoexpress.com/products/vpn/index.html) has > software solution that sits on a dedicated Windows box and supports > practically everything. > > For Hardware solution: > I recommend the Nokia CryptoCluster series for site to site, client to site, > and site to 3rd party unmanaged site for its bandwidth, policy management, > and pricing. > > Hope this helps. Feel free to contact me for any more information. > > -----Original Message----- > From: Markwat at aol.com [mailto:Markwat at aol.com] > Sent: Tuesday, January 22, 2002 9:07 PM > To: vpn at securityfocus.com > Subject: [vpn] vpn question > > > I have a 5 branch company with 50 pc's throughout. Headquarters has 34, and > there are 4 in each of the others. We are on a Windows NT network, and our > locations are connected by frame relay at 64 Kbps. We utilize VoIP. > > To save money, and give me the ability to get higher bandwidth, I would > like to get rid of the frame relay, and switch to a VPN. I have done a lot > of > research, but am still confused as to whether I can simply implement Windows > NT (or Windows 2000) software VPN, or if I need to implement a hardware > based > VPN. I also am considering the possiblity of outsourcing. Can you offer me > some advice? > > > VPN is sponsored by SecurityFocus.com > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 > > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From scure at redbulltech.com Wed Jan 23 11:21:24 2002 From: scure at redbulltech.com (sam) Date: Wed, 23 Jan 2002 11:21:24 -0500 Subject: [vpn] vpn question In-Reply-To: Message-ID: <001f01c1a42a$0111a5c0$3201a8c0@horns> I couldnt have said it better myself. :) -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Wednesday, January 23, 2002 9:40 AM To: sam Cc: Markwat at aol.com; vpn at securityfocus.com Subject: RE: [vpn] vpn question I feel obliged to point out that the totally rockin' InfoExpress solution runs on a variety of UNIX boxes, not just Windows systems. The server, that is; clients are available for various Win flavors, Linux, Solaris, and sometimes Machintoshes. The main win in my book for their product is that it's >not< IPsec -- which is often a problematic set of protocols for remote access VPN users. It's TCP-based and really easy to use inside a firewalled or NAT'ted environment. tbird "I was being patient, but it took too long." - Anya, "Buffy the Vampire Slayer" Log Analysis: http://www.counterpane.com/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html On Wed, 23 Jan 2002, sam wrote: > Here are some thoughts... > > For software solution: > InfoExpress (http://www.infoexpress.com/products/vpn/index.html) has > software solution that sits on a dedicated Windows box and supports > practically everything. > > For Hardware solution: > I recommend the Nokia CryptoCluster series for site to site, client to site, > and site to 3rd party unmanaged site for its bandwidth, policy management, > and pricing. > > Hope this helps. Feel free to contact me for any more information. > > -----Original Message----- > From: Markwat at aol.com [mailto:Markwat at aol.com] > Sent: Tuesday, January 22, 2002 9:07 PM > To: vpn at securityfocus.com > Subject: [vpn] vpn question > > > I have a 5 branch company with 50 pc's throughout. Headquarters has 34, and > there are 4 in each of the others. We are on a Windows NT network, and our > locations are connected by frame relay at 64 Kbps. We utilize VoIP. > > To save money, and give me the ability to get higher bandwidth, I would > like to get rid of the frame relay, and switch to a VPN. I have done a lot > of > research, but am still confused as to whether I can simply implement Windows > NT (or Windows 2000) software VPN, or if I need to implement a hardware > based > VPN. I also am considering the possiblity of outsourcing. Can you offer me > some advice? > > > VPN is sponsored by SecurityFocus.com > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 > > > > > VPN is sponsored by SecurityFocus.com > --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 VPN is sponsored by SecurityFocus.com From Patrick.Bryan at abbott.com Wed Jan 23 14:58:56 2002 From: Patrick.Bryan at abbott.com (Patrick.Bryan at abbott.com) Date: Wed, 23 Jan 2002 13:58:56 -0600 Subject: [vpn] Netmeeting over an IPSec based VPN? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good day.. It is my understanding that Netmeeting will not work over a IPSec based VPN where IPSec mode 3 dynamic address allocation is employed. Can anyone confirm this? What does this break? Any info is appreciated. Thanks, ________________________________________ Patrick A. Bryan, CISSP Abbott Laboratories, Worldwide Network Services Dept 0070 Bldg. AP14B (p) (847) / 935 - 9226 (e) patrick.bryan at abbott.com ________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPE8WFs4KS7v/1TGgEQL45QCgn6lQ63u+oLqA7L5/I9buASaVNyIAoLaA twrqA1ehjVyqRv4tUY5+FrvU =D8iv -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: pgp.rtf.asc Type: application/octet-stream Size: 783 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20020123/d1752be7/attachment.obj -------------- next part -------------- VPN is sponsored by SecurityFocus.com From roger.qian at sholodge.com Wed Jan 23 18:08:31 2002 From: roger.qian at sholodge.com (Qian, Roger) Date: Wed, 23 Jan 2002 17:08:31 -0600 Subject: [vpn] vpn question Message-ID: Has someone used CISCO PIX firewall built-in VPN function? Thanks. Roger -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Wednesday, January 23, 2002 8:40 AM To: sam Cc: Markwat at aol.com; vpn at securityfocus.com Subject: RE: [vpn] vpn question I feel obliged to point out that the totally rockin' InfoExpress solution runs on a variety of UNIX boxes, not just Windows systems. The server, that is; clients are available for various Win flavors, Linux, Solaris, and sometimes Machintoshes. The main win in my book for their product is that it's >not< IPsec -- which is often a problematic set of protocols for remote access VPN users. It's TCP-based and really easy to use inside a firewalled or NAT'ted environment. tbird "I was being patient, but it took too long." - Anya, "Buffy the Vampire Slayer" Log Analysis: http://www.counterpane.com/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html On Wed, 23 Jan 2002, sam wrote: > Here are some thoughts... > > For software solution: > InfoExpress (http://www.infoexpress.com/products/vpn/index.html) has > software solution that sits on a dedicated Windows box and supports > practically everything. > > For Hardware solution: > I recommend the Nokia CryptoCluster series for site to site, client to site, > and site to 3rd party unmanaged site for its bandwidth, policy management, > and pricing. > > Hope this helps. Feel free to contact me for any more information. > > -----Original Message----- > From: Markwat at aol.com [mailto:Markwat at aol.com] > Sent: Tuesday, January 22, 2002 9:07 PM > To: vpn at securityfocus.com > Subject: [vpn] vpn question > > > I have a 5 branch company with 50 pc's throughout. Headquarters has 34, and > there are 4 in each of the others. We are on a Windows NT network, and our > locations are connected by frame relay at 64 Kbps. We utilize VoIP. > > To save money, and give me the ability to get higher bandwidth, I would > like to get rid of the frame relay, and switch to a VPN. I have done a lot > of > research, but am still confused as to whether I can simply implement Windows > NT (or Windows 2000) software VPN, or if I need to implement a hardware > based > VPN. I also am considering the possiblity of outsourcing. Can you offer me > some advice? > > > VPN is sponsored by SecurityFocus.com > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 > > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From danx at geac.com Wed Jan 23 18:14:00 2002 From: danx at geac.com (danx at geac.com) Date: Wed, 23 Jan 2002 23:14 -0000 Subject: [vpn] vpn question Message-ID: I understand the 5xx is going out of production? ----Original Message----- >From: sam >To: ; >Cc: >Subj: RE: [vpn] vpn question >Reply To: >Sent: Wednesday, January 23, 2002 10:41 AM > >Here are some thoughts... > >For software solution: >InfoExpress (http://www.infoexpress.com/products/vpn/index.html) has >software solution that sits on a dedicated Windows box and supports >practically everything. > >For Hardware solution: >I recommend the Nokia CryptoCluster series for site to site, client to site, >and site to 3rd party unmanaged site for its bandwidth, policy management, >and pricing. > >Hope this helps. Feel free to contact me for any more information. > >-----Original Message----- >From: Markwat at aol.com [mailto:Markwat at aol.com] >Sent: Tuesday, January 22, 2002 9:07 PM >To: vpn at securityfocus.com >Subject: [vpn] vpn question > > >I have a 5 branch company with 50 pc's throughout. Headquarters has 34, and >there are 4 in each of the others. We are on a Windows NT network, and our >locations are connected by frame relay at 64 Kbps. We utilize VoIP. > >To save money, and give me the ability to get higher bandwidth, I would >like to get rid of the frame relay, and switch to a VPN. I have done a lot >of >research, but am still confused as to whether I can simply implement Windows >NT (or Windows 2000) software VPN, or if I need to implement a hardware >based >VPN. I also am considering the possiblity of outsourcing. Can you offer me >some advice? > > >VPN is sponsored by SecurityFocus.com > >--- >Incoming mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 > >--- >Outgoing mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.gr??isoft.com). >Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 > > > > >VPN is sponsored by SecurityFocus.com > -------------- next part -------------- VPN is sponsored by SecurityFocus.com From djdawso at qwest.com Wed Jan 23 19:02:35 2002 From: djdawso at qwest.com (Dana J. Dawson) Date: Wed, 23 Jan 2002 18:02:35 -0600 Subject: [vpn] vpn question References: Message-ID: <3C4F4F1B.8FCF177F@qwest.com> "Qian, Roger" wrote: > > Has someone used CISCO PIX firewall built-in VPN function? > Thanks. > Roger I've configured PIX's to do both site-to-site and remote client VPN's. They're very much like Cisco routers to configure, both in terms of the commands you use and the amount of work it takes to get things working. The biggest challenge with setting up VPN's in the routers and PIX's is getting all the various command parameters correct that have to match between the peers. You frequently end up spending more time doing a "stare and compare" than you do putting in the actual configuration. As is the case with the routers, the PIX is better for site-to-site VPN's than for remote client VPN's. HTH Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.com From Chris_Barker at westlb-systems.co.jp Wed Jan 23 19:39:38 2002 From: Chris_Barker at westlb-systems.co.jp (Chris_Barker at westlb-systems.co.jp) Date: Thu, 24 Jan 2002 09:39:38 +0900 Subject: [vpn] vpn question Message-ID: <49256B4B.0004544A.00@tky-notes-03.westlb.co.jp> Hi, I've been working with PIX's IPSec VPN functions for a year or so. While I'm generally very happy with the PIX as a firewall and VPN gateway I would say that some folks who are new to VPN & firewalls may be a bit intimidated by the command line interface. The GUI manager (PDM) does not support VPN functions as far as I know. OTOH if you are already comfortable with Cisco IOS on routers, learning the PIX is not hard at all and Cisco's website has lots of usefull tips and configuration examples which can be adapted to almost any situation. Chris Barker APAC Regional IT Security Officer WestLB Systems, Tokyo Branch |----------> | | |----------> >--------------------------------------------------------------------> | | | | |"Qian, Roger" | | | | | | | | | |01/24/2002 08:08 AM | | | | | | | | | | | >--------------------------------------------------------------------> >---------------------------------| | | | | | | | | | | | | | | | | >---------------------------------| To: Tina Bird , sam cc: Markwat at aol.com, vpn at securityfocus.com, (bcc: Chris Barker/TKY/WestLB-Systems/WLB) Subject: RE: [vpn] vpn question Has someone used CISCO PIX firewall built-in VPN function? Thanks. Roger -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Wednesday, January 23, 2002 8:40 AM To: sam Cc: Markwat at aol.com; vpn at securityfocus.com Subject: RE: [vpn] vpn question I feel obliged to point out that the totally rockin' InfoExpress solution runs on a variety of UNIX boxes, not just Windows systems. The server, that is; clients are available for various Win flavors, Linux, Solaris, and sometimes Machintoshes. The main win in my book for their product is that it's >not< IPsec -- which is often a problematic set of protocols for remote access VPN users. It's TCP-based and really easy to use inside a firewalled or NAT'ted environment. tbird "I was being patient, but it took too long." - Anya, "Buffy the Vampire Slayer" Log Analysis: http://www.counterpane.com/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html On Wed, 23 Jan 2002, sam wrote: > Here are some thoughts... > > For software solution: > InfoExpress (http://www.infoexpress.com/products/vpn/index.html) has > software solution that sits on a dedicated Windows box and supports > practically everything. > > For Hardware solution: > I recommend the Nokia CryptoCluster series for site to site, client to site, > and site to 3rd party unmanaged site for its bandwidth, policy management, > and pricing. > > Hope this helps. Feel free to contact me for any more information. > > -----Original Message----- > From: Markwat at aol.com [mailto:Markwat at aol.com] > Sent: Tuesday, January 22, 2002 9:07 PM > To: vpn at securityfocus.com > Subject: [vpn] vpn question > > > I have a 5 branch company with 50 pc's throughout. Headquarters has 34, and > there are 4 in each of the others. We are on a Windows NT network, and our > locations are connected by frame relay at 64 Kbps. We utilize VoIP. > > To save money, and give me the ability to get higher bandwidth, I would > like to get rid of the frame relay, and switch to a VPN. I have done a lot > of > research, but am still confused as to whether I can simply implement Windows > NT (or Windows 2000) software VPN, or if I need to implement a hardware > based > VPN. I also am considering the possiblity of outsourcing. Can you offer me > some advice? > > > VPN is sponsored by SecurityFocus.com > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 > > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com Diese Nachricht ist vertraulich. Sie ist ausschliesslich fuer den im Adressfeld ausgewiesenen Adressaten bestimmt. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir um eine kurze Nachricht. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Da wir nicht die Echtheit oder Vollstaendigkeit der in dieser Nachricht enthaltenen Informationen garantieren koennen, schliessen wir die rechtliche Verbindlichkeit der vorstehenden Erklaerungen und Aeusserungen aus. Wir verweisen in diesem Zusammenhang auch auf die fuer die Bank geltenden Regelungen ueber die Verbindlichkeit von Willenserklaerungen mit verpflichtendem Inhalt, die in den bankueblichen Unterschriftenverzeichnissen bekannt gemacht werden. This message is confidential and may be privileged. It is intended solely for the named addressee. If you are not the intended recipient please inform us. Any unauthorised dissemination, distribution or copying hereof is prohibited. As we cannot guarantee the genuineness or completeness of the information contained in this message, the statements set forth above are not legally binding. In connection therewith, we also refer to the governing regulations of WestLB concerning signatory authority published in the standard bank signature lists with regard to the legally binding effect of statements made with the intent to obligate WestLB. VPN is sponsored by SecurityFocus.com From Stephen.Hope at energis.com Thu Jan 24 11:06:21 2002 From: Stephen.Hope at energis.com (Stephen Hope) Date: Thu, 24 Jan 2002 16:06:21 -0000 Subject: [vpn] vpn question Message-ID: <73BE32DA9E55D511ACF30050BAEA0487459109@eisemail.energis.co.uk> Your Q leaves out 1 point - if you go to a VPN, then you are connecting each office to the Internet. If you use "real" internet, then I would recommend that you put a firewall in each location - e.g. a Cisco POX 515 in the central site and a 506 at each remote. You can then set up tunnels between the firewalls rather than use separate VPN equipment. Alternatively, find a an ISP / carrier offering a managed VPN service - that way they look after the WAN links, routers and VPN kit and it looks very like your existing frame relay WAN and routers. Stephen My opinions, not my employers. -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Wednesday, January 23, 2002 2:40 PM To: sam Cc: Markwat at aol.com; vpn at securityfocus.com Subject: RE: [vpn] vpn question I feel obliged to point out that the totally rockin' InfoExpress solution runs on a variety of UNIX boxes, not just Windows systems. The server, that is; clients are available for various Win flavors, Linux, Solaris, and sometimes Machintoshes. The main win in my book for their product is that it's >not< IPsec -- which is often a problematic set of protocols for remote access VPN users. It's TCP-based and really easy to use inside a firewalled or NAT'ted environment. tbird "I was being patient, but it took too long." - Anya, "Buffy the Vampire Slayer" Log Analysis: http://www.counterpane.com/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html On Wed, 23 Jan 2002, sam wrote: > Here are some thoughts... > > For software solution: > InfoExpress (http://www.infoexpress.com/products/vpn/index.html) has > software solution that sits on a dedicated Windows box and supports > practically everything. > > For Hardware solution: > I recommend the Nokia CryptoCluster series for site to site, client to site, > and site to 3rd party unmanaged site for its bandwidth, policy management, > and pricing. > > Hope this helps. Feel free to contact me for any more information. > > -----Original Message----- > From: Markwat at aol.com [mailto:Markwat at aol.com] > Sent: Tuesday, January 22, 2002 9:07 PM > To: vpn at securityfocus.com > Subject: [vpn] vpn question > > > I have a 5 branch company with 50 pc's throughout. Headquarters has 34, and > there are 4 in each of the others. We are on a Windows NT network, and our > locations are connected by frame relay at 64 Kbps. We utilize VoIP. > > To save money, and give me the ability to get higher bandwidth, I would > like to get rid of the frame relay, and switch to a VPN. I have done a lot > of > research, but am still confused as to whether I can simply implement Windows > NT (or Windows 2000) software VPN, or if I need to implement a hardware > based > VPN. I also am considering the possiblity of outsourcing. Can you offer me > some advice? > > > VPN is sponsored by SecurityFocus.com > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 > > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com ******************************************************************************************************** This e-mail is from Energis plc, 50 Victoria Embankment, London, EC4Y 0DE, United Kingdom, No: 2630471. This e-mail is confidential to the addressee and may be privileged. The views expressed are personal and do not necessarily reflect those of Energis. If you are not the intended recipient please notify the sender immediately by calling our switchboard on +44 (0) 20 7206 5555 and do not disclose to another person or use, copy or forward all or any of it in any form. ******************************************************************************************************** VPN is sponsored by SecurityFocus.com From roger.qian at sholodge.com Thu Jan 24 16:18:29 2002 From: roger.qian at sholodge.com (Qian, Roger) Date: Thu, 24 Jan 2002 15:18:29 -0600 Subject: [vpn] vpn question Message-ID: Thanks Dana. You said, the PIX is better for site to site VPN's than for remote client VPN's. Could you please tell me why? Currently we're using Microsoft NT RRAS VPN server, and are going to have a PIX 515 UR firewall with VPN 3DES license. Thanks again for your time. Roger -----Original Message----- From: Dana J. Dawson [mailto:djdawso at qwest.com] Sent: Wednesday, January 23, 2002 6:03 PM To: vpn at securityfocus.com Subject: Re: [vpn] vpn question "Qian, Roger" wrote: > > Has someone used CISCO PIX firewall built-in VPN function? > Thanks. > Roger I've configured PIX's to do both site-to-site and remote client VPN's. They're very much like Cisco routers to configure, both in terms of the commands you use and the amount of work it takes to get things working. The biggest challenge with setting up VPN's in the routers and PIX's is getting all the various command parameters correct that have to match between the peers. You frequently end up spending more time doing a "stare and compare" than you do putting in the actual configuration. As is the case with the routers, the PIX is better for site-to-site VPN's than for remote client VPN's. HTH Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From jmuniz at loudcloud.com Thu Jan 24 19:36:57 2002 From: jmuniz at loudcloud.com (Jose Muniz) Date: Thu, 24 Jan 2002 16:36:57 -0800 Subject: [vpn] vpn question References: Message-ID: <3C50A8A9.3D80BD8B@loudcloud.com> unmanageable, this is true with full mesh as well... Jose. "Qian, Roger" wrote: > Thanks Dana. > > You said, the PIX is better for site to site VPN's than for remote client > VPN's. Could you please tell me why? > Currently we're using Microsoft NT RRAS VPN server, and are going to have a > PIX 515 UR firewall with VPN 3DES license. > > Thanks again for your time. > > Roger > > -----Original Message----- > From: Dana J. Dawson [mailto:djdawso at qwest.com] > Sent: Wednesday, January 23, 2002 6:03 PM > To: vpn at securityfocus.com > Subject: Re: [vpn] vpn question > > "Qian, Roger" wrote: > > > > Has someone used CISCO PIX firewall built-in VPN function? > > Thanks. > > Roger > > I've configured PIX's to do both site-to-site and remote client VPN's. > They're > very much like Cisco routers to configure, both in terms of the commands you > use > and the amount of work it takes to get things working. The biggest > challenge > with setting up VPN's in the routers and PIX's is getting all the various > command parameters correct that have to match between the peers. You > frequently > end up spending more time doing a "stare and compare" than you do putting in > the > actual configuration. As is the case with the routers, the PIX is better > for > site-to-site VPN's than for remote client VPN's. > > HTH > > Dana > > -- > Dana J. Dawson djdawso at qwest.com > Senior Staff Engineer CCIE #1937 > Qwest Global Services (612) 664-3364 > Qwest Communications (612) 664-4779 (FAX) > 600 Stinson Blvd., Suite 1S > Minneapolis MN 55413-2620 > > "Hard is where the money is." > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com -- Jose Muniz Network Engineering Loudcloud, Inc. (408)744-7583 Direct page-jmuniz at loudcloud.com ------------------------- http://www.loudcloud.com VPN is sponsored by SecurityFocus.com From riccardo at thevalentes.net Fri Jan 25 09:49:52 2002 From: riccardo at thevalentes.net (Riccardo Valente) Date: Fri, 25 Jan 2002 14:49:52 -0000 Subject: [vpn] Netscreen/Sonicwall Phase 1 failure Message-ID: <003c01c1a5af$8be476b0$0140fea9@objectronix.com> I'm trying to troubleshoot a failing pre-shared secret Phase 1 negotiation between a Netscreen and a Sonicwall. I don't have access to the latter, but I was assured it's using DH Group2, DES and MD5. This is the log for Phase 1: 01/25/2002 14:16:33 Give up phase 1 to x.x.x.x 01/25/2002 14:16:15 phase 2 sa task to x.x.x.x exist. 01/25/2002 14:16:03 Initialt Phase 1 session, peer<7>. and an extract of the debug information: receive INFO pkt with message id before phase 1 auth is done. Ignore the pkt [retries timing out] Phase 1 SA(a.b.c.d) reported broken. delete sa(w.x.y.z - a.b.c.d), state (100f/2) I tend to think the problem is at the Sonicwall end, since this Netscreen configuration has been used successfully with all sorts of VPN gateways with no excessive grief. Any suggestions? riccardo VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Fri Jan 25 11:10:26 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Fri, 25 Jan 2002 10:10:26 -0600 (CST) Subject: [vpn] new release of pptp proxy (fwd) Message-ID: ---------- Forwarded message ---------- Date: Thu, 24 Jan 2002 12:21:44 -0800 From: Emmanuel Mogenet To: firewall-wizards at nfr.com Subject: [fw-wiz] new release of pptp proxy Release 1.3 of pptpproxy, a PPTP userland forwarder for Unix firewalls is available at http://www.mgix.com/pptpproxy _______________________________________________ VPN is sponsored by SecurityFocus.com From dklein at netscreen.com Fri Jan 25 13:03:38 2002 From: dklein at netscreen.com (David Klein) Date: Fri, 25 Jan 2002 10:03:38 -0800 Subject: [vpn] Netscreen/Sonicwall Phase 1 failure Message-ID: <9D048F4A422CD411A56500B0D0209C5B03D74E75@NS-CA> Riccardo, On the Netscreen, go into "debug ike" mode and have it be the IKE responder. In the debug output you should be able to spot what the Sonicwall (as IKE initiator) is proposing during phase 1 negotiations. To go into debug mode on the Netscreen: Connect to console or telnet into Netscreen; "set console dbuf" "clear dbuf" "debug ike detail" or on older versions of ScreenOS the command is "debug ike 10"; have a client behind the Sonicwall initiate traffic to a system behind the Netscreen; wait a few seconds; "undebug all" or on older versions of ScreenOS the command is "debug ike 0"; "get dbuf stream" to see the debug output. To do over: "clear ike all" on the Netscreen and do whatever on the Sonicwall to clear it's SA's; "clear dbuf" "debug ike detail" or "debug ike 10"; initiate traffic and review with "get dbuf stream". When done, don't forget to turn off all debugs otherwise the Netscreen will be slow. Dave Klein dklein at netscreen.com > -----Original Message----- > From: Riccardo Valente [mailto:riccardo at thevalentes.net] > Sent: Friday, January 25, 2002 8:50 AM > To: vpn at securityfocus.com > Subject: [vpn] Netscreen/Sonicwall Phase 1 failure > > > I'm trying to troubleshoot a failing pre-shared secret Phase > 1 negotiation > between a Netscreen and a Sonicwall. I don't have access to > the latter, but > I was assured it's using DH Group2, DES and MD5. > > This is the log for Phase 1: > > 01/25/2002 14:16:33 Give up phase 1 to x.x.x.x > 01/25/2002 14:16:15 phase 2 sa task to x.x.x.x exist. > 01/25/2002 14:16:03 Initialt Phase 1 session, peer<7>. > > > and an extract of the debug information: > > receive INFO pkt with message id before phase 1 auth is done. > Ignore the pkt > [retries timing out] > Phase 1 SA(a.b.c.d) reported broken. > delete sa(w.x.y.z - a.b.c.d), state (100f/2) > > > I tend to think the problem is at the Sonicwall end, since > this Netscreen > configuration has been used successfully with all sorts of > VPN gateways > with no excessive grief. Any suggestions? > > riccardo > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From quinch at systems.visy.com.au Mon Jan 28 03:41:54 2002 From: quinch at systems.visy.com.au (Charlie Winchcombe) Date: 28 Jan 2002 08:41:54 -0000 Subject: [vpn] Netscreen/Sonicwall Phase 1 failure Message-ID: <20020128084154.27274.qmail@mail.securityfocus.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20020128/166a8390/attachment.txt From crenner at dynalivery.com Mon Jan 28 17:21:51 2002 From: crenner at dynalivery.com (Chuck Renner) Date: Mon, 28 Jan 2002 16:21:51 -0600 Subject: [vpn] PIX 506 config question Message-ID: <1D5FFAF04EC5D31182CD00508B5502BD63F398@novac.dynalivery.com> I'm running a PIX 506 with the 3.x client software. Currently, I have one group defined, and all users are using that group, which provides full access to the LAN. What I would like to do is create another group that has restricted access (only certain ports) to the LAN. Nothing is grabbing me as a simple way to do this. I could create this other group to use a different IP pool, and then have another firewall handle things based on IP, but it seems like the PIX should have a way to handle this. Any pointers in the right direction would be appreciated. VPN is sponsored by SecurityFocus.com From bwhite at pathix.com Mon Jan 28 19:46:10 2002 From: bwhite at pathix.com (bwhite at pathix.com) Date: Mon, 28 Jan 2002 21:16:10 -0330 Subject: [vpn] Netscreen Remote. Message-ID: We are using Netscreen Remote to a Netscreen 10. It had been working amazingly fast for about 10 months, now all of a sudden, anything outside of a ping, tracert, or telnet is unbearably slow, even timing out on most occasions. We cannot access our Mail, cannot copy files, etc It is only on one Netscreen 10, we can Netscreen Remote into another 10 we have and it is fine. Both are on the same OS. Internal networking is fine as I can change to a mapped IP to access a server and it works very fast but access this same server through Netscreen Remote and it is SLOW. I'm wondering if it could be a hardware problem? We have the same policy which has always been in place, dialup-VPN to an internal network through a tunnel. Has anyone experienced anything similar to this? I've been on the phone with their tech support for hours today on this. Thanks for any help on this, Blair VPN is sponsored by SecurityFocus.com From jmuniz at loudcloud.com Tue Jan 29 14:40:21 2002 From: jmuniz at loudcloud.com (Jose Muniz) Date: Tue, 29 Jan 2002 11:40:21 -0800 Subject: [vpn] Netscreen Remote. References: Message-ID: <3C56FAA4.7A1828AD@loudcloud.com> I saw that weird problem once, as it turned out the default gateway was a router doing ICMP redirection, to another router in the same subnet, it was difficult to diagnose as the subnet was not our domain everything worked OK but IPSec. After looking at the ARP tables and snoop the wire, we find out about the real gateway, [it was a collocated box on someone else's domain] change the default router to the right interface and it has been working like a charm from that day on. Mark Twain. bwhite at pathix.com wrote: > We are using Netscreen Remote to a Netscreen 10. It had been working > amazingly fast for about 10 months, now all of a sudden, anything outside > of a ping, tracert, or telnet is unbearably slow, even timing out on most > occasions. We cannot access our Mail, cannot copy files, etc > > It is only on one Netscreen 10, we can Netscreen Remote into another 10 we > have and it is fine. Both are on the same OS. Internal networking is fine > as I can change to a mapped IP to access a server and it works very fast > but access this same server through Netscreen Remote and it is SLOW. I'm > wondering if it could be a hardware problem? > > We have the same policy which has always been in place, dialup-VPN to an > internal network through a tunnel. > > Has anyone experienced anything similar to this? I've been on the phone > with their tech support for hours today on this. > > Thanks for any help on this, > > Blair > > VPN is sponsored by SecurityFocus.com -- Jose Muniz Network Engineering Loudcloud, Inc. (408)744-7583 Direct page-jmuniz at loudcloud.com ------------------------- http://www.loudcloud.com VPN is sponsored by SecurityFocus.com From jtapping at claranet.fr Tue Jan 29 15:55:10 2002 From: jtapping at claranet.fr (James Tapping) Date: Tue, 29 Jan 2002 21:55:10 +0100 Subject: [vpn] Poptop Linux vpn setup (routing?) Message-ID: <001901c1a907$3da19770$0200000a@win2000> Hello, I am trying to setup a simple VPN setup using poptop on a linux box(called Gateway) behind an ADSL connection (using pptp), I have a local network on 10.0.0.0/24 and this is obviously the network that I would like a roaming person to be able to connect to. I have tried connections from a windows box and another linux box, both connect fine. The (other) linux box (for example) gets given the ip 10.0.0.116 (gateway takes 10.0.0.100), from (other) linux box I can ping gateway via 10.0.0.100, but I can't ping another machine on the 10.0.0.0/24 network... The whole point is obviously to give access to the internal network. If I add a static route for eg 10.0.0.2 (on the box connecting to the vpn) saying go out via the ppp interface, the packet arrives at the gateway machine but dosn't reach th 10.0.0.2 I remember doing this a while ago on a freebsd with a cable connection and I didn' t have any problem. Anybody see what I am missing? Any help apreciated James VPN is sponsored by SecurityFocus.com From esheffer at lycos.com Wed Jan 30 17:48:18 2002 From: esheffer at lycos.com (Eric Sheffer) Date: 30 Jan 2002 22:48:18 -0000 Subject: [vpn] Linksys EtherFast Cable/DSL VPN Router Message-ID: <20020130224818.32671.qmail@mail.securityfocus.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20020130/41bcbcc9/attachment.txt From derek at killearn.com Wed Jan 30 18:47:52 2002 From: derek at killearn.com (Derek Schwab) Date: Wed, 30 Jan 2002 18:47:52 -0500 Subject: [vpn] LinkSys VPN router to InstagateEX?? References: <20020130224818.32671.qmail@mail.securityfocus.com> Message-ID: <001a01c1a9e8$88835620$240a0a0a@killearn.com> Does anyone know if the Linksys VPN router can create an IPSec tunnel with an InstagateEX? My company has a couple of locatations connected back to corporate with Instagates. We're adding another small branch office (3 or 4 PCs) that we need to connect. The Linksys router is very attractive for this, since it can be had for around $150. Does anyone know if the autentication/encryption scheme it uses is compatible with the InstagateEX? Thanks -Derek VPN is sponsored by SecurityFocus.com From mats at decus.se Thu Jan 31 10:55:18 2002 From: mats at decus.se (Mats Akerberg) Date: Thu, 31 Jan 2002 16:55:18 +0100 (MET) Subject: [vpn] VPN IPSEC Client for Windows -XP Message-ID: Hi! I have a Nokia CC250 and I'm looking for a Windows-XP IPSEC client that will work with the Nokia. And the client shouldn't run "split tunnel" like microsofts own :-) I don't like "split tunnel" for home user. I did try the FW-1 client, and the Cisco but couldn't get tho work. Cheer's /Mats Mats Akerberg (mats at decus.se) http://www.decus.se/~mats PGP fingerprint 39 74 49 B0 40 0F 16 CA C1 EE AA 08 55 76 CE 6F VPN is sponsored by SecurityFocus.com From yaseransari at yahoo.com Thu Jan 31 07:21:23 2002 From: yaseransari at yahoo.com (Yaser Ansari) Date: 31 Jan 2002 12:21:23 -0000 Subject: [vpn] VPN client installation Problem Message-ID: <20020131122123.22048.qmail@mail.securityfocus.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20020131/38e55bc8/attachment.txt From palberto at libero.it Thu Jan 31 02:49:16 2002 From: palberto at libero.it (Alberto Pesce) Date: Thu, 31 Jan 2002 08:49:16 +0100 Subject: [vpn] VPN and Ping Message-ID: <008901c1aa2b$c8bb0560$b0a91997@pescefaa5jjh1x> I try to realized a VPN between 2 LAN using 2 for gateway OpenBSD 2.9. The problem: on host W98 on 192.168.20.0 (the same net of the gatewayB) I do a ping on host W98 on 192.168.10.0 (the same of the gatewayA), but I don't receive the echo reply. Note the default Gateway on all W98 machines is the internal interface of the gatewayA for Lan 192.168.10.0 and gatewayB for Lan 192.168.20.0 Logged on gatewayB I can se with: tcpdump -i enc0 ...data..(authentic,confidential: Spi 0x45A8428E: 192.168.20.4>192.168.10.4: icmp: echo request(encap) and tcpdump -i external_interface host gatewayA ...data... esp gatewayB > gatewayA spi 0x45A8428E seq 1 len 116 The same thing I see on gatewayA. Please Help Me. Sorry for my English. Alberto (Italy) VPN is sponsored by SecurityFocus.com