From danny at stallion.oz.au Mon Jul 1 00:13:20 2002 From: danny at stallion.oz.au (Danny Smith) Date: Mon, 1 Jul 2002 14:13:20 +1000 Subject: [vpn] Multilink-PPP/L2TP In-Reply-To: <5.1.0.14.2.20020630215003.00aa7968@4.18.4.133> Message-ID: Hi all, I mistakenly sent a reply directly to Neale earlier, so I thought I'd send this to the list as well. My company does something that does this - ML-IP. It doesn't actually use PPP/L2TP, it's our own protocol, designed specifically to do this - bond multiple links into a tunnel between two devices. See www.ml-ip.com for more info. Basically an ML-IP device fragments packets to be sent across the tunnel, encapsulates them, and sends the data across multiple links to another ML-IP device, which defragments them and puts them back onto a normal network. This means that to the end stations, the connection between the two ML-IP devices looks like a single fast connection. The protocol (once the initial connection is made) sorts out what links are available on each device, all the user has to enter is an IP address to connect to (on the client end of the connection), and a username and password. It uses a TCP connection to carry the data, so you can deploy ML-IP between any two sites which have IP connectivity to each other. We also support load balancing of multiple outgoing connections to the Internet, without another ML-IP device to connect to, the same way as the Nexland box Pete just mentioned. An earlier version of ML-IP called E2B is part of the Stallion ePipe product range, which also supports a range of VPN technologies, as a matter of interest! I'll leave it at that unless anyone has any questions, I don't want to inflict too much of a sales spiel on the list. Cheers, ******************************************** Danny Smith Network Engineer Stallion Technologies E-mail danny at stallion.oz.au www.stallion.com/epipe ******************************************** > -----Original Message----- > From: Pete Jacob [mailto:pjacob at ftmc.com] > Sent: Monday, 1 July 2002 11:51 AM > To: Neale Banks; vpn at securityfocus.com > Subject: Re: [vpn] Multilink-PPP/L2TP > > > here is a good link to accomplish the task. > > Cheers~ > > Pete Jacob. > > http://www.overclockersclub.com/nexland.shtml > > At 10:11 PM 6/26/2002 +1000, Neale Banks wrote: > > > >Not strictly a VPN question as such, but using the same technologies to > >achieve a different end: > > > >Has anyone had any success running Multlink-PPP over (at least) two L2TP > >tunnels? If so what did you use and do? > > > >The objective here is to aggregate/bundle two IP-paths into one virtual > >path to increas the throughput (so encryption etc aren't necessary). > > > >Thanks, > >Neale. > VPN is sponsored by SecurityFocus.com From tjoen at xion-consulting.com Mon Jul 1 03:47:58 2002 From: tjoen at xion-consulting.com (tjoen ) Date: Mon, 1 Jul 2002 09:47:58 +0200 Subject: [vpn] IPSEC/NAT Message-ID: > From: Jim Terry [mailto:jtixthus at attbi.com] > Sent: zondag 30 juni 2002 14:17 > I know from discussions on here that you cannot do PAT and > IPSEC. NAT and IPSEC is possible w FreeS/WAN. Not sure if it is RFC-compliant > Confused. Me 2 VPN is sponsored by SecurityFocus.com From jtixthus at attbi.com Mon Jul 1 16:17:08 2002 From: jtixthus at attbi.com (Jim Terry) Date: Mon, 1 Jul 2002 13:17:08 -0700 Subject: [vpn] IPSEC/NAT References: <4.2.0.58.20020701073225.00b3c3c0@mail2.netreach.net> Message-ID: <004501c2213c$46fb64b0$0200a8c0@jtxixngte70fxo> Thank you all for your responses. This helps very much. JT ----- Original Message ----- From: "Lisa Phifer" To: "Jim Terry" Sent: Monday, July 01, 2002 4:36 AM Subject: Re: [vpn] IPSEC/NAT > At 07:17 AM 6/30/2002 -0700, Jim Terry wrote: > >Is it a 1-to-1 correlation with globals and VPN tunnels > > > Yes - as long as you have more active tunnels than IPs, > you are doing PAT, with all its attendant problems. > > You'll find a good description of the problem, along with a > workaround being implemented by several products, in these I-Ds: > > http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-01.txt > http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-03.txt > http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-03.txt > > > > > VPN is sponsored by SecurityFocus.com From paul.gell at accenture.com Tue Jul 2 05:30:51 2002 From: paul.gell at accenture.com (paul.gell at accenture.com) Date: Tue, 2 Jul 2002 10:30:51 +0100 Subject: [vpn] Checkpoint/Contivity VPN Tunnel Drops randomly Message-ID: Hi, I wonder if you'd be able to help me out. I've recently configured a VPN tunnel between a Checkpoint and Contivity, and I've been told by the users that the connection drops randomly. Sometimes not at all during the day sometimes a couple. I cannot find anything in the CP logs. I recently changed the VPN tunnel from two Contivity's to the current config of CP and Contivity. The link is in constant use throughout a working day and I've run out of ideas as to where to problem could be. Regards Paul Paul Gell Accenture - CIO Network Services (Tel) - +44 207 844 4901 (Octel/VPN) - 434 4901 (Mobile) - +44 7947 751911 (email) - paul.gell at accenture.com This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. VPN is sponsored by SecurityFocus.com From rtwatson at qwest.net Tue Jul 2 15:58:45 2002 From: rtwatson at qwest.net (Travis Watson) Date: Tue, 2 Jul 2002 12:58:45 -0700 Subject: [vpn] Checkpoint/Contivity VPN Tunnel Drops randomly References: Message-ID: <003e01c22202$dfc5db00$27dd7f83@honeywellc5t7u> Paul, I'm not sure why it would just drop, but I have had trouble with the rekey between a Contivity and other VPN-1 boxes. Usually the problem results in phantom tunnels though and a "new" tunnel is initiated without much end user interuption. Check to see if the Contivity and/or VPN-1 box is set for a data count rekey and see if that coincides with the hiccups. You will want to disable VendorID and Compression on both sides as well. Nortel's compression algorithm doesn't like to play nice with others and vendorID is sketchy, in my experience. (PFS should be ok). Lastly, though it might not be possible, you may well want to upgrade the code on the Contivity--assuming it's not the 4.x code. Nortel has acknowledged problems with 3.5 code and earlier with rekey problems (though 3.6x should be ok, I think). --Travis ----- Original Message ----- From: To: Sent: Tuesday, July 02, 2002 2:30 AM Subject: [vpn] Checkpoint/Contivity VPN Tunnel Drops randomly > Hi, > > I wonder if you'd be able to help me out. > > I've recently configured a VPN tunnel between a Checkpoint and Contivity, > and I've been told by the users that the connection drops randomly. > Sometimes not at all during the day sometimes a couple. I cannot find > anything in the CP logs. I recently changed the VPN tunnel from two > Contivity's to the current config of CP and Contivity. The link is in > constant use throughout a working day and I've run out of ideas as to where > to problem could be. > > Regards > Paul > > > > Paul Gell > Accenture - CIO Network Services > (Tel) - +44 207 844 4901 (Octel/VPN) - 434 4901 > (Mobile) - +44 7947 751911 > (email) - paul.gell at accenture.com > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise private information. If you have > received it in error, please notify the sender immediately and delete the > original. Any other use of the email by you is prohibited. > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From dmercurio at ccgsecurity.com Tue Jul 2 16:52:44 2002 From: dmercurio at ccgsecurity.com (Dante Mercurio) Date: Tue, 2 Jul 2002 16:52:44 -0400 Subject: [vpn] Dynamic IP & Branch-office VPN Tunnels Message-ID: <03EA8EE1BD1FAD46A6AB4525406795E1012D71@ct2001.webcti.local> Are there any industry standards (or ones being developed) in regard to creating a branch office VPN with a device that gets a dynamic IP? It seems that each manufacturer has it's own proprietary solution limiting any implmentation to their brand only. WatchGuard uses a proprietary protocol they call DVCP. NetScreen uses peer ID's. Checkpoint appliances have a version of their client that is invoked via a web browser, etc. M. Dante Mercurio, CCNA, MCSE+I, CCSA dmercurio at ccgsecurity.com Consulting Group Manager Continental Consulting Group, LLC www.ccgsecurity.com VPN is sponsored by SecurityFocus.com From TKoopman at SonicWALL.com Tue Jul 2 17:49:40 2002 From: TKoopman at SonicWALL.com (TKoopman at SonicWALL.com) Date: Tue, 2 Jul 2002 14:49:40 -0700 Subject: [vpn] Checkpoint/Contivity VPN Tunnel Drops randomly Message-ID: <7B8824D690092B4B90B0EF4674750A65037E4249@USEXCH3.us.sonicwall.com> Travis has a good point on the rekeying. I think the Contivity will rekey after "x" data is transmitted. This may be causing the rekey with the other end to fail. Todd -----Original Message----- From: Travis Watson [mailto:rtwatson at qwest.net] Sent: Tuesday, July 02, 2002 12:59 PM To: paul.gell at accenture.com Cc: vpn at securityfocus.com Subject: Re: [vpn] Checkpoint/Contivity VPN Tunnel Drops randomly Paul, I'm not sure why it would just drop, but I have had trouble with the rekey between a Contivity and other VPN-1 boxes. Usually the problem results in phantom tunnels though and a "new" tunnel is initiated without much end user interuption. Check to see if the Contivity and/or VPN-1 box is set for a data count rekey and see if that coincides with the hiccups. You will want to disable VendorID and Compression on both sides as well. Nortel's compression algorithm doesn't like to play nice with others and vendorID is sketchy, in my experience. (PFS should be ok). Lastly, though it might not be possible, you may well want to upgrade the code on the Contivity--assuming it's not the 4.x code. Nortel has acknowledged problems with 3.5 code and earlier with rekey problems (though 3.6x should be ok, I think). --Travis ----- Original Message ----- From: To: Sent: Tuesday, July 02, 2002 2:30 AM Subject: [vpn] Checkpoint/Contivity VPN Tunnel Drops randomly > Hi, > > I wonder if you'd be able to help me out. > > I've recently configured a VPN tunnel between a Checkpoint and Contivity, > and I've been told by the users that the connection drops randomly. > Sometimes not at all during the day sometimes a couple. I cannot find > anything in the CP logs. I recently changed the VPN tunnel from two > Contivity's to the current config of CP and Contivity. The link is in > constant use throughout a working day and I've run out of ideas as to where > to problem could be. > > Regards > Paul > > > > Paul Gell > Accenture - CIO Network Services > (Tel) - +44 207 844 4901 (Octel/VPN) - 434 4901 > (Mobile) - +44 7947 751911 > (email) - paul.gell at accenture.com > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise private information. If you have > received it in error, please notify the sender immediately and delete the > original. Any other use of the email by you is prohibited. > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From srao at intotoinc.com Tue Jul 2 19:09:16 2002 From: srao at intotoinc.com (Srinivasa Addepalli) Date: 2 Jul 2002 23:09:16 -0000 Subject: [vpn] Dynamic IP & Branch-office VPN Tunnels Message-ID: <20020702230916.4723.qmail@mail.securityfocus.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20020702/5770dad3/attachment.txt From scott.penno at gennex.com.au Tue Jul 2 22:39:04 2002 From: scott.penno at gennex.com.au (Scott Penno) Date: Wed, 3 Jul 2002 12:39:04 +1000 Subject: [vpn] Dynamic IP & Branch-office VPN Tunnels References: <03EA8EE1BD1FAD46A6AB4525406795E1012D71@ct2001.webcti.local> Message-ID: <007901c2223a$d0c95c20$01050c0a@jupiter> IPSec from a device with a dynamic address [branch] to a device with a fixed IP address [central] is indeed supported as part of the standard. Where multiple IPSec policies exist on the central site VPN device, some form of identification [the ID field within the negotiation] is required to ensure that the correct IPSec policy is selected for the remote device. I believe this is exactly the scenario being used by the Netscreen device and that I've experienced with devices from other vendors including Allied Telesyn and TimeStep and client software from SafeNet and TimeStep Scott. ----- Original Message ----- From: "Dante Mercurio" To: Sent: Wednesday, July 03, 2002 6:52 AM Subject: [vpn] Dynamic IP & Branch-office VPN Tunnels Are there any industry standards (or ones being developed) in regard to creating a branch office VPN with a device that gets a dynamic IP? It seems that each manufacturer has it's own proprietary solution limiting any implmentation to their brand only. WatchGuard uses a proprietary protocol they call DVCP. NetScreen uses peer ID's. Checkpoint appliances have a version of their client that is invoked via a web browser, etc. M. Dante Mercurio, CCNA, MCSE+I, CCSA dmercurio at ccgsecurity.com Consulting Group Manager Continental Consulting Group, LLC www.ccgsecurity.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From jac_des_vert at yahoo.com Wed Jul 3 07:03:56 2002 From: jac_des_vert at yahoo.com (Anthony Lee) Date: Wed, 3 Jul 2002 04:03:56 -0700 (PDT) Subject: [vpn] Checkpoint/Contivity VPN Tunnel Drops randomly In-Reply-To: <7B8824D690092B4B90B0EF4674750A65037E4249@USEXCH3.us.sonicwall.com> Message-ID: <20020703110356.25097.qmail@web14105.mail.yahoo.com> Contivity can either rekey by a data amount or a time interval. I'd check and ensure that the intervals are the same. It does sound like a rekey issue that we've heard of before. I'm assuming this is an IPSec tunnel. I don't recall if CP and Contivity can do any other types. I wouldn't use anyone's vendor ID to start with. Most peoples vendor ID works fine between thier own products but never works very well with others. Nortel's is no more "Sketchy" than any other's that I've used. I doubt that the vendor ID thing will ever be fixed since it's not in anyones interest to make it work well. You don't mention what version you're using, so I suggest you get v04_06.120 which I beleive is a fairly new release. we run it and it appears to be pretty good. Do you see anything in the Contivity's Log? It should address why the connection went down. It will have an entry related to the Keying for that specific tunnel if its an issue. Also do you have the tunnels "Nailed UP?" The contivity will maintain the tunnel without timing it out if you're using that mode. Of course, the tunnel won't come down if you should want it to be torn down when its idle for extended periods. The only other thing I'd suggest is to open a support case with both vendors and get them to figure it out for you. If its a known issue they should be able to tell you that and work arounds if they exist. And they should upgrade you're code if that is an issue. Good Luck, Jac --- TKoopman at SonicWALL.com wrote: > Travis has a good point on the rekeying. I think > the Contivity will rekey after "x" data is > transmitted. This may be causing the rekey with the > other end to fail. > > Todd > > -----Original Message----- > From: Travis Watson [mailto:rtwatson at qwest.net] > Sent: Tuesday, July 02, 2002 12:59 PM > To: paul.gell at accenture.com > Cc: vpn at securityfocus.com > Subject: Re: [vpn] Checkpoint/Contivity VPN Tunnel > Drops randomly > > > Paul, > > I'm not sure why it would just drop, but I have had > trouble with the rekey > between a Contivity and other VPN-1 boxes. Usually > the problem results in > phantom tunnels though and a "new" tunnel is > initiated without much end user > interuption. > > Check to see if the Contivity and/or VPN-1 box is > set for a data count rekey > and see if that coincides with the hiccups. You > will want to disable > VendorID and Compression on both sides as well. > Nortel's compression > algorithm doesn't like to play nice with others and > vendorID is sketchy, in > my experience. (PFS should be ok). > > Lastly, though it might not be possible, you may > well want to upgrade the > code on the Contivity--assuming it's not the 4.x > code. Nortel has > acknowledged problems with 3.5 code and earlier with > rekey problems (though > 3.6x should be ok, I think). > > --Travis > > > ----- Original Message ----- > From: > To: > Sent: Tuesday, July 02, 2002 2:30 AM > Subject: [vpn] Checkpoint/Contivity VPN Tunnel Drops > randomly > > > > Hi, > > > > I wonder if you'd be able to help me out. > > > > I've recently configured a VPN tunnel between a > Checkpoint and Contivity, > > and I've been told by the users that the > connection drops randomly. > > Sometimes not at all during the day sometimes a > couple. I cannot find > > anything in the CP logs. I recently changed the > VPN tunnel from two > > Contivity's to the current config of CP and > Contivity. The link is in > > constant use throughout a working day and I've run > out of ideas as to > where > > to problem could be. > > > > Regards > > Paul > > > > > > > > Paul Gell > > Accenture - CIO Network Services > > (Tel) - +44 207 844 4901 (Octel/VPN) - 434 4901 > > (Mobile) - +44 7947 751911 > > (email) - paul.gell at accenture.com > > > > > > This message is for the designated recipient only > and may contain > > privileged, proprietary, or otherwise private > information. If you have > > received it in error, please notify the sender > immediately and delete the > > original. Any other use of the email by you is > prohibited. > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > VPN is sponsored by SecurityFocus.com > > > VPN is sponsored by SecurityFocus.com > __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com VPN is sponsored by SecurityFocus.com From jtixthus at attbi.com Wed Jul 3 12:59:54 2002 From: jtixthus at attbi.com (Jim Terry) Date: Wed, 3 Jul 2002 09:59:54 -0700 Subject: [vpn] VPN and RSA keys Message-ID: <000b01c222b3$0d8f4a20$0200a8c0@jtxixngte70fxo> Hi all, I need help! I am now trying to authenticate a VPN between 2 Cisco routers using Sun iPlanet. Formerly I tried Microsoft CA server but someone on this list suggested I try this. Well it seems the cert is pending on the router which means the iPlanet server is not releasing it. Any suggestions? I am at the point if anyone is in the Los Angeles area I am willing to either pay them for help or allow use of my routers(at my place only). I have two 2524 and one 2610. Please let me know. JT VPN is sponsored by SecurityFocus.com From jtixthus at attbi.com Wed Jul 3 14:50:53 2002 From: jtixthus at attbi.com (Jim Terry) Date: Wed, 3 Jul 2002 11:50:53 -0700 Subject: [vpn] VPN and RSA keys References: Message-ID: <001301c222c2$8f3bb590$0200a8c0@jtxixngte70fxo> I got a little farther but still need assistance. The request was pending on the server so I did approve it. Now the debug on the router shows it received a packet from the remote peer that was not encrypted but it should have been. My ACLs appear to me to be correct. The routers are connected by the S0 interfaces. The ACLs are defined from E0 to E0. Here is what the debus says: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.168.1.2 was not encrypted and it should've been. Here is the explanation: Contact remote peer! Since this is a lab situation here are my configs Router A: hostname routera>> ! clock timezone pacific -7 ip subnet-zero ip host sun.com 192.168.0.2 ip host entrust.com 216.191.253.14 ip host jt-xixngte70fxo 192.168.0.2 ip domain-name jterry.net ip name-server 192.168.0.2 ! ! ! crypto ca identity sun.com enrollment url http://192.168.0.2:80 query url ldap://192.168.0.2 crl optional crypto ca certificate chain sun.com certificate 09 308201BF 30820169 A0030201 02020109 300D0609 2A864886 F70D0101 04050030 (truncated) quit certificate ca 01 30820231 308201DB A0030201 02020101 300D0609 2A864886 (truncated) quit ! crypto isakmp policy 1 hash md5 crypto isakmp identity hostname ! ! crypto ipsec transform-set myset esp-des esp-sha-hmac ! crypto map vpn 10 ipsec-isakmp set peer 192.168.1.2 set transform-set myset match address 100 ! ! ! ! interface Ethernet0 ip address 192.168.0.5 255.255.255.0 ip helper-address 192.168.0.2 ! interface Serial0 ip address 192.168.1.1 255.255.255.0 crypto map vpn ! interface Serial1 no ip address shutdown ! router rip network 192.168.0.0 network 192.168.1.0 no auto-summary ! ip classless ip route 192.168.0.2 255.255.255.255 192.168.0.1 ip http server ! access-list 100 permit ip host 192.168.0.5 host 192.168.2.1 ! ! line con 0 logging synchronous line aux 0 line vty 0 4 login ! end routera>># Router B: hostname routerb>> ! ! ! ! ! ! clock timezone pacific -7 ip subnet-zero ip host sun.com 192.168.0.2 ip host jt-xixngte70fxo. 192.168.0.2 ip host entrust.com 216.191.253.14 ip domain-name jterry.net ip name-server 192.168.0.2 ! ! ! crypto ca identity sun.com enrollment url http://192.168.0.2:80 query url ldap://192.168.0.2 crl optional crypto ca certificate chain sun.com certificate 06 308201BF 30820169 A0030201 02020106 300D0609 2A864886 (truncated) quit certificate ca 01 30820231 308201DB A0030201 02020101 300D0609 2A864886 (truncated) quit ! crypto isakmp policy 1 hash md5 crypto isakmp identity hostname ! ! crypto ipsec transform-set myset esp-des esp-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer 192.168.1.1 set transform-set myset match address 100 ! ! ! ! interface Ethernet0 ip address 192.168.2.1 255.255.255.0 no keepalive ! interface Serial0 ip address 192.168.1.2 255.255.255.0 no fair-queue clock rate 1300000 crypto map mymap ! interface Serial1 no ip address shutdown ! router rip network 192.168.1.0 network 192.168.2.0 no auto-summary ! ip classless ip http server ! access-list 100 permit ip host 192.168.2.1 host 192.168.0.5 ! ! line con 0 logging synchronous line aux 0 line vty 0 4 login ! end routerb>># JT ----- Original Message ----- From: To: Sent: Wednesday, July 03, 2002 11:31 AM Subject: RE: [vpn] VPN and RSA keys > Hi there...please be sure to copy everyone on what your findings are for > your situation. We work with cisco routers and Sun iPlant soI'm very > interested to know how to fix. > > Thank You! > Lisa K. Webster > > Department Admin > Solutions Engineering Group > Sprint E-Solutions Support Team > 1510 E. Rochelle, 2nd FL > Irving, Texas 75039-4307 > Mailstop: TXIVGK0202 > VM: 972-405-1368 > PX: 972-405-3515 > PCS: 214-274-9532 > Email: Lisa.K.Webster at mail.sprint.com > > > -----Original Message----- > From: jtixthus [mailto:jtixthus at attbi.com] > Sent: Wednesday, July 03, 2002 12:00 PM > To: vpn > Subject: [vpn] VPN and RSA keys > > > Hi all, > > I need help! I am now trying to authenticate a VPN between 2 Cisco > routers > using Sun iPlanet. Formerly I tried Microsoft CA server but someone on > this > list suggested I try this. > > Well it seems the cert is pending on the router which means the iPlanet > server is not releasing it. Any suggestions? > > I am at the point if anyone is in the Los Angeles area I am willing to > either pay them for help or allow use of my routers(at my place only). > I > have two 2524 and one 2610. > > Please let me know. > > JT > > > > VPN is sponsored by SecurityFocus.com > > > VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Jul 3 16:04:30 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 3 Jul 2002 20:04:30 +0000 (GMT) Subject: [vpn] VPN and RSA keys In-Reply-To: <001301c222c2$8f3bb590$0200a8c0@jtxixngte70fxo> Message-ID: <20020703200232.S41933-100000@sisyphus.iocaine.com> You've got the same IP address, 192.168.0.2, listed twice: > ip host sun.com 192.168.0.2 > ip host entrust.com 216.191.253.14 > ip host jt-xixngte70fxo 192.168.0.2 I don't know if that would produce the effect you've observed, but it doesn't seem right to me. tbird "The road of excess leads to the palace of wisdom." William Blake, "Proverbs of Hell" http://www.shmoo.com/~tbird Log Analysis http://www.counterpane.com/log-analysis.html VPN http://vpn.shmoo.com On Wed, 3 Jul 2002, Jim Terry wrote: > Since this is a lab situation here are my configs > Router A: > hostname routera>> > ! > clock timezone pacific -7 > ip subnet-zero > ip host sun.com 192.168.0.2 > ip host entrust.com 216.191.253.14 > ip host jt-xixngte70fxo 192.168.0.2 > ip domain-name jterry.net > ip name-server 192.168.0.2 VPN is sponsored by SecurityFocus.com From evyncke at cisco.com Thu Jul 4 09:57:34 2002 From: evyncke at cisco.com (Eric Vyncke) Date: Thu, 04 Jul 2002 15:57:34 +0200 Subject: [vpn] VPN and RSA keys In-Reply-To: <001301c222c2$8f3bb590$0200a8c0@jtxixngte70fxo> References: Message-ID: <4.3.2.7.2.20020704155347.0242ac68@brussels.cisco.com> A couple of comments on your configurations: - I'm puzzled by the static IP route for 192.168.0.2 - usually, the crypto ACL are protecting the whole subnet (but what you are doing should work anyway), I would have expected permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 - the IKMP_NOT_ENCRYPTED alone is probably due to a bad key exchange/authentication - you may want to issue the commands 'debug crypto isakmp' and 'terminal monitor' for more information - did check that the TIME is correct on both routers ? 'show clock' Hope this helps -eric At 11:50 3/07/2002 -0700, Jim Terry wrote: >I got a little farther but still need assistance. The request was pending >on the server so I did approve it. > >Now the debug on the router shows it received a packet from the remote peer >that was not encrypted but it should have been. My ACLs appear to me to be >correct. > >The routers are connected by the S0 interfaces. The ACLs are defined from >E0 to E0. > >Here is what the debus says: >%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.168.1.2 was not >encrypted and it should've been. >Here is the explanation: >Contact remote peer! > > >Since this is a lab situation here are my configs >Router A: >hostname routera>> >! >clock timezone pacific -7 >ip subnet-zero >ip host sun.com 192.168.0.2 >ip host entrust.com 216.191.253.14 >ip host jt-xixngte70fxo 192.168.0.2 >ip domain-name jterry.net >ip name-server 192.168.0.2 >! >! >! >crypto ca identity sun.com > enrollment url http://192.168.0.2:80 > query url ldap://192.168.0.2 > crl optional >crypto ca certificate chain sun.com > certificate 09 > 308201BF 30820169 A0030201 02020109 300D0609 2A864886 F70D0101 04050030 > (truncated) > quit > certificate ca 01 > 30820231 308201DB A0030201 02020101 300D0609 2A864886 > (truncated) >quit >! >crypto isakmp policy 1 > hash md5 >crypto isakmp identity hostname >! >! >crypto ipsec transform-set myset esp-des esp-sha-hmac >! >crypto map vpn 10 ipsec-isakmp > set peer 192.168.1.2 > set transform-set myset > match address 100 >! >! >! >! >interface Ethernet0 > ip address 192.168.0.5 255.255.255.0 > ip helper-address 192.168.0.2 >! >interface Serial0 > ip address 192.168.1.1 255.255.255.0 > crypto map vpn >! >interface Serial1 > no ip address > shutdown >! >router rip > network 192.168.0.0 > network 192.168.1.0 > no auto-summary >! >ip classless >ip route 192.168.0.2 255.255.255.255 192.168.0.1 >ip http server >! >access-list 100 permit ip host 192.168.0.5 host 192.168.2.1 >! >! >line con 0 > logging synchronous >line aux 0 >line vty 0 4 > login >! >end > >routera>># >Router B: >hostname routerb>> >! >! >! >! >! >! >clock timezone pacific -7 >ip subnet-zero >ip host sun.com 192.168.0.2 >ip host jt-xixngte70fxo. 192.168.0.2 >ip host entrust.com 216.191.253.14 >ip domain-name jterry.net >ip name-server 192.168.0.2 >! >! >! >crypto ca identity sun.com > enrollment url http://192.168.0.2:80 > query url ldap://192.168.0.2 > crl optional >crypto ca certificate chain sun.com > certificate 06 > 308201BF 30820169 A0030201 02020106 300D0609 2A864886 > (truncated) >quit > certificate ca 01 > 30820231 308201DB A0030201 02020101 300D0609 2A864886 > (truncated) >quit >! >crypto isakmp policy 1 > hash md5 >crypto isakmp identity hostname >! >! >crypto ipsec transform-set myset esp-des esp-sha-hmac >! >crypto map mymap 10 ipsec-isakmp > set peer 192.168.1.1 > set transform-set myset > match address 100 >! >! >! >! >interface Ethernet0 > ip address 192.168.2.1 255.255.255.0 > no keepalive >! >interface Serial0 > ip address 192.168.1.2 255.255.255.0 > no fair-queue > clock rate 1300000 > crypto map mymap >! >interface Serial1 > no ip address > shutdown >! >router rip > network 192.168.1.0 > network 192.168.2.0 > no auto-summary >! >ip classless >ip http server >! >access-list 100 permit ip host 192.168.2.1 host 192.168.0.5 >! >! >line con 0 > logging synchronous >line aux 0 >line vty 0 4 > login >! >end > >routerb>># > >JT > >----- Original Message ----- >From: >To: >Sent: Wednesday, July 03, 2002 11:31 AM >Subject: RE: [vpn] VPN and RSA keys > > > > Hi there...please be sure to copy everyone on what your findings are for > > your situation. We work with cisco routers and Sun iPlant soI'm very > > interested to know how to fix. > > > > Thank You! > > Lisa K. Webster > > > > Department Admin > > Solutions Engineering Group > > Sprint E-Solutions Support Team > > 1510 E. Rochelle, 2nd FL > > Irving, Texas 75039-4307 > > Mailstop: TXIVGK0202 > > VM: 972-405-1368 > > PX: 972-405-3515 > > PCS: 214-274-9532 > > Email: Lisa.K.Webster at mail.sprint.com > > > > > > -----Original Message----- > > From: jtixthus [mailto:jtixthus at attbi.com] > > Sent: Wednesday, July 03, 2002 12:00 PM > > To: vpn > > Subject: [vpn] VPN and RSA keys > > > > > > Hi all, > > > > I need help! I am now trying to authenticate a VPN between 2 Cisco > > routers > > using Sun iPlanet. Formerly I tried Microsoft CA server but someone on > > this > > list suggested I try this. > > > > Well it seems the cert is pending on the router which means the iPlanet > > server is not releasing it. Any suggestions? > > > > I am at the point if anyone is in the Los Angeles area I am willing to > > either pay them for help or allow use of my routers(at my place only). > > I > > have two 2524 and one 2610. > > > > Please let me know. > > > > JT > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > >VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Joel.Snyder at Opus1.COM Mon Jul 8 16:05:03 2002 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Mon, 08 Jul 2002 13:05:03 -0700 (MST) Subject: [vpn] Cisco IPSec DES Bandwidth Overhead In-Reply-To: "Your message dated Thu, 20 Jun 2002 07:13:28 -0700" <3D11E309.372B0789@opus1.com> Message-ID: <01KJUQ8MPH5W9GVEND@Opus1.COM> I don't know if anyone paid any attention (presumably not, because no one caught my error), but I re-visited this calculation (from 20-June) today and stand by my original number: 50 to 57 octets overhead for ESP in tunnel mode with DES or 3DES(the general case). In the one I'm quoting below, I somehow got 16 octets as the ICV, which it's not---96 bits is 12 octets. Just so the record's straight and my conscience is clear... jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One >--------------msFEDDC67D061660B1147CD5D7 >Content-Type: text/plain; charset=us-ascii >Content-Transfer-Encoding: 7bit >> 32 bytes for ESP with DES+MD5 >No, definitely more than that. Here's the breakdown: >20 octets for the IP tunnel header. >4 for the SPI >4 for the sequence number >8 for the IV (DES/3DES are the same; 64-bit IV) >some amount of padding, which may be between 0 and 7 octets >1 octet for pad length >1 octet for next header >16 octets for the ICV (hash) (HMAC-SHA1-96 or HMAC-MD5-96 are the same) >So I was wrong: it's between 54 and 61. >I don't know where I came up with 50 to 57. Probably counted the IV as >4 instead of 8. It was late here... >jms >Christopher Gripp wrote: >> >> 32 bytes for ESP with DES+MD5 >> >> -----Original Message----- >> From: Andre Venter [mailto:andrev at uunet.co.za] >> Sent: Wed 6/19/2002 10:17 PM >> To: vpn at securityfocus.com >> Cc: >> Subject: [vpn] Cisco IPSec DES Bandwidth Overhead >> >> >> >> Hi All, >> >> Can anybody tell me what the Bandwidth overhead is, as an average percentage, when using Cisco IPSec DES Encryption between two points. >> >> Any info would be appreciated, >> >> Kind Regards >> >> Andre >> >> >> VPN is sponsored by SecurityFocus.com >> >> >-- >Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 >Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) >jms at Opus1.COM http://www.opus1.com/jms Opus One VPN is sponsored by SecurityFocus.com From JLebowitsch at imperito.com Mon Jul 8 20:45:24 2002 From: JLebowitsch at imperito.com (Lebowitsch, Jonathan) Date: Mon, 8 Jul 2002 17:45:24 -0700 Subject: [vpn] Dynamic IP & Branch-office VPN Tunnels Message-ID: AFAIK The problem is that per the standards you can't negotiate IKE with preshared secret unless you know in advance the ip address of the peers. All these propriatary protocols are a way to get around this limitation, when the IP addresses are dynamic and preshared secret is used. It should be possible to get around this by using certifiactes instead of pre-shared secret for IKE. -----Original Message----- From: Scott Penno [mailto:scott.penno at gennex.com.au] Sent: Tue, July 02, 2002 7:39 PM To: Dante Mercurio Cc: vpn at securityfocus.com Subject: Re: [vpn] Dynamic IP & Branch-office VPN Tunnels IPSec from a device with a dynamic address [branch] to a device with a fixed IP address [central] is indeed supported as part of the standard. Where multiple IPSec policies exist on the central site VPN device, some form of identification [the ID field within the negotiation] is required to ensure that the correct IPSec policy is selected for the remote device. I believe this is exactly the scenario being used by the Netscreen device and that I've experienced with devices from other vendors including Allied Telesyn and TimeStep and client software from SafeNet and TimeStep Scott. ----- Original Message ----- From: "Dante Mercurio" To: Sent: Wednesday, July 03, 2002 6:52 AM Subject: [vpn] Dynamic IP & Branch-office VPN Tunnels Are there any industry standards (or ones being developed) in regard to creating a branch office VPN with a device that gets a dynamic IP? It seems that each manufacturer has it's own proprietary solution limiting any implmentation to their brand only. WatchGuard uses a proprietary protocol they call DVCP. NetScreen uses peer ID's. Checkpoint appliances have a version of their client that is invoked via a web browser, etc. M. Dante Mercurio, CCNA, MCSE+I, CCSA dmercurio at ccgsecurity.com Consulting Group Manager Continental Consulting Group, LLC www.ccgsecurity.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Travis.Watson at Honeywell.com Tue Jul 9 15:18:09 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Tue, 9 Jul 2002 12:18:09 -0700 Subject: [vpn] charity work Message-ID: Can anyone out there help a Cisco-moron? I just need the basic syntax to trust a distant host implicitly with a PIX (the latest IOS)? I know it's something to the effect of: access-list permit any host x.x.x.x But I don't have a PIX here to play with and hit the question mark 5 or 10 times. Many thanks to anyone willing. --Travis VPN is sponsored by SecurityFocus.com From Travis.Watson at Honeywell.com Tue Jul 9 17:28:24 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Tue, 9 Jul 2002 14:28:24 -0700 Subject: [vpn] charity work Message-ID: Josh Vince took care of this for me (read: held my hand). Many thanks to him and all who replied. Regards, Travis -----Original Message----- From: Watson, Travis [mailto:Travis.Watson at Honeywell.com] Sent: Tuesday, July 09, 2002 12:18 PM To: Vpn-securityfocus (E-mail) Subject: [vpn] charity work Can anyone out there help a Cisco-moron? I just need the basic syntax to trust a distant host implicitly with a PIX (the latest IOS)? I know it's something to the effect of: access-list permit any host x.x.x.x But I don't have a PIX here to play with and hit the question mark 5 or 10 times. Many thanks to anyone willing. --Travis VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From losttoy2000 at yahoo.co.uk Wed Jul 10 09:21:42 2002 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Wed, 10 Jul 2002 14:21:42 +0100 (BST) Subject: [vpn] Site-to-site VPNs to same networks Message-ID: <20020710132142.18907.qmail@web12706.mail.yahoo.com> Hi, I need to establish site-to-site IPSec tunnels to remote networks whose IP addressing is not determined by me. These networks might use the same IP address pools for their LANs. How do I configure my VPN device in such a scenario? Regards, Siddhartha __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com VPN is sponsored by SecurityFocus.com From Travis.Watson at Honeywell.com Wed Jul 10 14:08:59 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Wed, 10 Jul 2002 11:08:59 -0700 Subject: [vpn] Site-to-site VPNs to same networks Message-ID: Siddhartha, I'm not quite sure what you are asking, but it sounds like you just have to ask the distant end what IP address they are using as an outside interface. Presumably, that is not going to be difficult, but I don't know if you have a contact at the distant end. Regarding your second concern, the endpoint IP address (outside interface) can't be in the same subnet as the LAN it is protecting. If you have limited IP space, you can use the public IPs for external interfaces and give 10.x.x.x and/or 192.168.x.x to the internal nets. Then have the internal nets NAT to a smaller, public IP range when going across the tunnel so you can route them on either side. Hope that helps. --Travis -----Original Message----- From: Siddhartha Jain [mailto:losttoy2000 at yahoo.co.uk] Sent: Wednesday, July 10, 2002 6:22 AM To: vpn at securityfocus.com Subject: [vpn] Site-to-site VPNs to same networks Hi, I need to establish site-to-site IPSec tunnels to remote networks whose IP addressing is not determined by me. These networks might use the same IP address pools for their LANs. How do I configure my VPN device in such a scenario? Regards, Siddhartha __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From sandy at storm.ca Wed Jul 10 16:56:22 2002 From: sandy at storm.ca (Sandy Harris) Date: Wed, 10 Jul 2002 13:56:22 -0700 Subject: [vpn] Site-to-site VPNs to same networks References: <20020710132142.18907.qmail@web12706.mail.yahoo.com> Message-ID: <3D2C9F76.6A9BED5D@storm.ca> Siddhartha Jain wrote: > > Hi, > > I need to establish site-to-site IPSec tunnels to > remote networks whose IP addressing is not determined > by me. These networks might use the same IP address > pools for their LANs. > > How do I configure my VPN device in such a scenario? A general answer for this question may be in this list's FAQ, or perhaps one on vpnc.org. A discussion for the Linux FreeS/WAN implementation is in their FAQ: http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/faq.html#dup_route VPN is sponsored by SecurityFocus.com From daniel at vancesystems.com Wed Jul 10 14:43:28 2002 From: daniel at vancesystems.com (Daniel M. Vance) Date: Wed, 10 Jul 2002 11:43:28 -0700 Subject: [vpn] Seeking low cost hardware VPN solutions Message-ID: <3D2C8050.B3FFCF75@vancesystems.com> I'm looking for an inexpensive "Hardware" VPN solution for a small company which has three business locations in three different cities. Site 1 - Has two PCs - On a peer-to-peer LAN Site 2 - Has four PCs - On a peer-to-peer LAN Site 3 - Headquarters - Has six PCs - On a Windows 2000 server LAN Does anyone on this list have experience with a similar VPN or can direct me to Internet resources for hardware based VPNs, e.g. comparison of available systems. Thank you, in advance Daniel Vance --- Daniel M. Vance & Associates Ph(520)797-2225 Fax(520)297-0348 mailto:daniel at vancesystems.com http://www.vancesystems.com http://www.vancesystems.com/scuba Tucson, Arizona USA VPN is sponsored by SecurityFocus.com From Debashis.Ghosh at geasn.ge.com Wed Jul 10 15:30:34 2002 From: Debashis.Ghosh at geasn.ge.com (Ghosh, Debashis (CORP, CIM)) Date: Thu, 11 Jul 2002 03:30:34 +0800 Subject: [vpn] Seeking low cost hardware VPN solutions Message-ID: Try netscreen. Excellent boxes for under 1000 bucks. Very good performance and it does VPN and firewall and traffic shaping in the same box. -----Original Message----- From: Daniel M. Vance [mailto:daniel at vancesystems.com] Sent: Wednesday, July 10, 2002 2:43 PM To: VPN-List Subject: [vpn] Seeking low cost hardware VPN solutions I'm looking for an inexpensive "Hardware" VPN solution for a small company which has three business locations in three different cities. Site 1 - Has two PCs - On a peer-to-peer LAN Site 2 - Has four PCs - On a peer-to-peer LAN Site 3 - Headquarters - Has six PCs - On a Windows 2000 server LAN Does anyone on this list have experience with a similar VPN or can direct me to Internet resources for hardware based VPNs, e.g. comparison of available systems. Thank you, in advance Daniel Vance --- Daniel M. Vance & Associates Ph(520)797-2225 Fax(520)297-0348 mailto:daniel at vancesystems.com http://www.vancesystems.com http://www.vancesystems.com/scuba Tucson, Arizona USA VPN is sponsored by SecurityFocus.com "NOTICE This e-mail and any attachment is intended only for the exclusive and confidential use of the addressee(s). If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. If you have received this message in error, please notify the sender by return e-mail immediately and delete the message from your computer without making any copies." VPN is sponsored by SecurityFocus.com From lists at rickbestany.net Wed Jul 10 15:17:51 2002 From: lists at rickbestany.net (Rick Bestany) Date: Wed, 10 Jul 2002 15:17:51 -0400 Subject: [vpn] Seeking low cost hardware VPN solutions In-Reply-To: <3D2C8050.B3FFCF75@vancesystems.com> Message-ID: SmoothWall SmoothWall SmoothWall http://www.smoothwall.co.uk > -----Original Message----- > From: Daniel M. Vance [mailto:daniel at vancesystems.com] > Sent: Wednesday, July 10, 2002 2:43 PM > To: VPN-List > Subject: [vpn] Seeking low cost hardware VPN solutions > > > I'm looking for an inexpensive "Hardware" VPN solution for a small > company which has three business locations in three different cities. > > Site 1 - Has two PCs - On a peer-to-peer LAN > > Site 2 - Has four PCs - On a peer-to-peer LAN > > Site 3 - Headquarters - Has six PCs - On a Windows 2000 server LAN > > Does anyone on this list have experience with a similar VPN or can > direct me to Internet resources for hardware based VPNs, e.g. comparison > of available systems. > > Thank you, in advance > > Daniel Vance > --- > Daniel M. Vance & Associates > Ph(520)797-2225 Fax(520)297-0348 > mailto:daniel at vancesystems.com > http://www.vancesystems.com > http://www.vancesystems.com/scuba > Tucson, Arizona USA > > VPN is sponsored by SecurityFocus.com > > > VPN is sponsored by SecurityFocus.com From Mike.Hancock at sourcemed.net Wed Jul 10 15:28:51 2002 From: Mike.Hancock at sourcemed.net (Mike Hancock) Date: Wed, 10 Jul 2002 14:28:51 -0500 Subject: [vpn] Seeking low cost hardware VPN solutions Message-ID: <7B0453A9A8227C4EADBA6AAEC29CDDA101E9280F@smbhmex01.corp.sourcemed.net> The new NetScreen 5xt has a 4 or 5 port hub built in also....about $500-$600. -----Original Message----- From: Ghosh, Debashis (CORP, CIM) [mailto:Debashis.Ghosh at geasn.ge.com] Sent: Wednesday, July 10, 2002 2:31 PM To: 'Daniel M. Vance'; VPN-List Subject: RE: [vpn] Seeking low cost hardware VPN solutions Try netscreen. Excellent boxes for under 1000 bucks. Very good performance and it does VPN and firewall and traffic shaping in the same box. -----Original Message----- From: Daniel M. Vance [mailto:daniel at vancesystems.com] Sent: Wednesday, July 10, 2002 2:43 PM To: VPN-List Subject: [vpn] Seeking low cost hardware VPN solutions I'm looking for an inexpensive "Hardware" VPN solution for a small company which has three business locations in three different cities. Site 1 - Has two PCs - On a peer-to-peer LAN Site 2 - Has four PCs - On a peer-to-peer LAN Site 3 - Headquarters - Has six PCs - On a Windows 2000 server LAN Does anyone on this list have experience with a similar VPN or can direct me to Internet resources for hardware based VPNs, e.g. comparison of available systems. Thank you, in advance Daniel Vance --- Daniel M. Vance & Associates Ph(520)797-2225 Fax(520)297-0348 mailto:daniel at vancesystems.com http://www.vancesystems.com http://www.vancesystems.com/scuba Tucson, Arizona USA VPN is sponsored by SecurityFocus.com "NOTICE This e-mail and any attachment is intended only for the exclusive and confidential use of the addressee(s). If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. If you have received this message in error, please notify the sender by return e-mail immediately and delete the message from your computer without making any copies." VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Wed Jul 10 15:36:51 2002 From: kent at dalliesin.com (Kent Dallas) Date: Wed, 10 Jul 2002 15:36:51 -0400 Subject: [vpn] Seeking low cost hardware VPN solutions In-Reply-To: <3D2C8050.B3FFCF75@vancesystems.com> Message-ID: Daniel, Just curious, why "hardware" VPN solutions? Most folks tend toward hardware solutions for scalability, which doesn't sound like a real concern for you. "Inexpensive" is more often associated with software VPNs. It sounds like you have a need for site-to-site VPN, but not much need for remote access, is that correct? I'm just wondering if you are unnecessarily limiting your solution set with an artificial restriction. Kent Dallas PS - And if it must be hardware, I like the Netscreen boxes as well. -----Original Message----- From: Daniel M. Vance [mailto:daniel at vancesystems.com] Sent: Wednesday, July 10, 2002 2:43 PM To: VPN-List Subject: [vpn] Seeking low cost hardware VPN solutions I'm looking for an inexpensive "Hardware" VPN solution for a small company which has three business locations in three different cities. Site 1 - Has two PCs - On a peer-to-peer LAN Site 2 - Has four PCs - On a peer-to-peer LAN Site 3 - Headquarters - Has six PCs - On a Windows 2000 server LAN Does anyone on this list have experience with a similar VPN or can direct me to Internet resources for hardware based VPNs, e.g. comparison of available systems. Thank you, in advance Daniel Vance --- Daniel M. Vance & Associates Ph(520)797-2225 Fax(520)297-0348 mailto:daniel at vancesystems.com http://www.vancesystems.com http://www.vancesystems.com/scuba Tucson, Arizona USA VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From joncz at mindspring.com Wed Jul 10 15:34:32 2002 From: joncz at mindspring.com (Jon Czerwinski) Date: Wed, 10 Jul 2002 15:34:32 -0400 Subject: [vpn] Seeking low cost hardware VPN solutions In-Reply-To: <3D2C8050.B3FFCF75@vancesystems.com> Message-ID: <200207101934.AMM51790@mailrtr2.mailzone.edeltacom.com> Sonicwall has a line of products that will fit those sized offices very well. On Wed, 10 Jul 2002 11:43:28 -0700, Daniel M. Vance wrote: >I'm looking for an inexpensive "Hardware" VPN solution for a small >company which has three business locations in three different cities. > >Site 1 - Has two PCs - On a peer-to-peer LAN > >Site 2 - Has four PCs - On a peer-to-peer LAN > >Site 3 - Headquarters - Has six PCs - On a Windows 2000 server LAN > >Does anyone on this list have experience with a similar VPN or can >direct me to Internet resources for hardware based VPNs, e.g. comparison >of available systems. > >Thank you, in advance > >Daniel Vance >--- >Daniel M. Vance & Associates >Ph(520)797-2225 Fax(520)297-0348 >mailto:daniel at vancesystems.com >http://www.vancesystems.com >http://www.vancesystems.com/scuba >Tucson, Arizona USA > >VPN is sponsored by SecurityFocus.com > Jon Czerwinski Vice President Cohn Consulting Corporation 2627 Sandy Plains Rd Suite 204 Marietta, GA 30066 (770) 368-7853 VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Jul 10 16:08:30 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 10 Jul 2002 20:08:30 +0000 (GMT) Subject: [vpn] Site-to-site VPNs to same networks In-Reply-To: Message-ID: <20020710200635.D48383-100000@sisyphus.iocaine.com> The way I read Siddhartha's message, he is concerned that the >internal< networks are addressed out of the same range. If that's the case, the use of the external address isn't going to fix things -- because there's no way to do the routing. Remember that the local system has to know to send traffic destined for the remote private network to the VPN gateway. If the both the local and remote LANs are addressed from, say, 192.168.16.0/24, there's no way to route. The answer there being, co-operation between network admins on both sides. Oh joy. I've been looking for a better answer for years, but no luck. tbird "The road of excess leads to the palace of wisdom." William Blake, "Proverbs of Hell" http://www.shmoo.com/~tbird Log Analysis http://www.counterpane.com/log-analysis.html VPN http://vpn.shmoo.com On Wed, 10 Jul 2002, Watson, Travis wrote: > Siddhartha, > > I'm not quite sure what you are asking, but it sounds like you just have to ask the distant end what IP address they are > using as an outside interface. Presumably, that is not going to be difficult, but I don't know if you have a contact at > the distant end. > > Regarding your second concern, the endpoint IP address (outside interface) can't be in the same subnet as the LAN it is > protecting. If you have limited IP space, you can use the public IPs for external interfaces and give 10.x.x.x and/or > 192.168.x.x to the internal nets. Then have the internal nets NAT to a smaller, public IP range when going across the > tunnel so you can route them on either side. > > Hope that helps. > > --Travis > > -----Original Message----- > From: Siddhartha Jain [mailto:losttoy2000 at yahoo.co.uk] > Sent: Wednesday, July 10, 2002 6:22 AM > To: vpn at securityfocus.com > Subject: [vpn] Site-to-site VPNs to same networks > > > Hi, > > I need to establish site-to-site IPSec tunnels to > remote networks whose IP addressing is not determined > by me. These networks might use the same IP address > pools for their LANs. > > How do I configure my VPN device in such a scenario? > > Regards, > > Siddhartha > > __________________________________________________ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From ryan at securityfocus.com Wed Jul 10 17:43:14 2002 From: ryan at securityfocus.com (Ryan Russell) Date: Wed, 10 Jul 2002 15:43:14 -0600 (MDT) Subject: [vpn] Site-to-site VPNs to same networks In-Reply-To: <20020710200635.D48383-100000@sisyphus.iocaine.com> Message-ID: Yes, you just have to do double-NAT, and have a matching hacked-up naming system to do the mapping. Way ugly, but theoretically possible. Don't expect the MS protocols to play along... Ryan On Wed, 10 Jul 2002, Tina Bird wrote: > The way I read Siddhartha's message, he is concerned that the >internal< > networks are addressed out of the same range. If that's the case, the use > of the external address isn't going to fix things -- because there's no > way to do the routing. Remember that the local system has to know to send > traffic destined for the remote private network to the VPN gateway. If > the both the local and remote LANs are addressed from, say, > 192.168.16.0/24, there's no way to route. > > The answer there being, co-operation between network admins on both sides. > Oh joy. I've been looking for a better answer for years, but no luck. VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Wed Jul 10 17:52:36 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Wed, 10 Jul 2002 16:52:36 -0500 Subject: [vpn] Seeking low cost hardware VPN solutions Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187FD6D@mail.bai.org> http://www.cdw.com/shop/products/default.asp?EDC=378498 Will do what you need for about $130 per site -----Original Message----- From: Daniel M. Vance [mailto:daniel at vancesystems.com] Sent: Wednesday, July 10, 2002 1:43 PM To: VPN-List Subject: [vpn] Seeking low cost hardware VPN solutions I'm looking for an inexpensive "Hardware" VPN solution for a small company which has three business locations in three different cities. Site 1 - Has two PCs - On a peer-to-peer LAN Site 2 - Has four PCs - On a peer-to-peer LAN Site 3 - Headquarters - Has six PCs - On a Windows 2000 server LAN Does anyone on this list have experience with a similar VPN or can direct me to Internet resources for hardware based VPNs, e.g. comparison of available systems. Thank you, in advance Daniel Vance --- Daniel M. Vance & Associates Ph(520)797-2225 Fax(520)297-0348 mailto:daniel at vancesystems.com http://www.vancesystems.com http://www.vancesystems.com/scuba Tucson, Arizona USA VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From natasha at espace.net Wed Jul 10 19:52:19 2002 From: natasha at espace.net (Natasha Smith) Date: Wed, 10 Jul 2002 16:52:19 -0700 Subject: [vpn] Site-to-site VPNs to same networks In-Reply-To: <20020710200635.D48383-100000@sisyphus.iocaine.com> References: Message-ID: <5.1.0.14.2.20020710164449.032e4a20@mail.espace.net> Q8 in the FAQ touches on this slightly, but generally I don't think the FAQ adresses this. The original idea was that this situation would exist -- the example was one of the ANX problems -- Bob Moskowitz used to tell us that Chrysler used 10.x.x.x addresses to talk to Isuzu in the same address range. The answer, hopefully, was that the VPN gateway did NAT also. So the packets would be NAT-translated "at each end of the VPN tunnel". So, as a user, the trick would be to obtain two VPN gateways that had NAT properly integrated. Then, you'd configure each end to "talk to the public-equivalent address of the other end". The VPNC web site probably doesn't address this -- specifically, use or type of use of NAT is not listed in the features page. At 08:08 PM 7/10/02 +0000, Tina Bird wrote: >The way I read Siddhartha's message, he is concerned that the >internal< >networks are addressed out of the same range. If that's the case, the use >of the external address isn't going to fix things -- because there's no >way to do the routing. Remember that the local system has to know to send >traffic destined for the remote private network to the VPN gateway. If >the both the local and remote LANs are addressed from, say, >192.168.16.0/24, there's no way to route. VPN is sponsored by SecurityFocus.com From stephen at etunnels.com Wed Jul 10 20:28:07 2002 From: stephen at etunnels.com (Stephen J Bevan) Date: Wed, 10 Jul 2002 17:28:07 -0700 Subject: [vpn] Site-to-site VPNs to same networks In-Reply-To: <20020710132142.18907.qmail@web12706.mail.yahoo.com> References: <20020710132142.18907.qmail@web12706.mail.yahoo.com> Message-ID: <15660.53527.243358.298017@apathy.etunnels.com> =?iso-8859-1?Q?Siddhartha_Jain?= writes: > I need to establish site-to-site IPSec tunnels to > remote networks whose IP addressing is not determined > by me. These networks might use the same IP address > pools for their LANs. > > How do I configure my VPN device in such a scenario? Generally the answer is you don't unless you are prepared to renumber the networks. However, you can make it work if :- * both VPN devices are support NAT at the right point in the stack. * you can get the cooperation of the person setting up the VPN at the remote network to install some NAT rules on the VPN device. * you don't need to support any protocols that break if they are run over NAT. For example, assume you have two sites A and B which use the same private range (192.168.1.0/24) :- A B 192.168.1.0/24 : 1.1.1.1 --- internet --- 2.2.2.2 : 192.168.1.0/24 If you can agree on some address space that neither side are using then you can NAT each private range to a new range. Assuming that 10.0.0.0/16 is free then we'd have the following mappings :- A = 192.168.1.0/24 <-> 10.0.1.0/24 B = 192.168.2.0/24 <-> 10.0.2.0/24 So if A wants to send traffic to B then it is addressed to 10.0.2.0/24. To make sure that B can reply, A must do source NAT for outbound packets so that although the packet is coming from 192.168.1.0/24, B will see it as coming from from 10.0.1.0/24. Similarly B does source NAT of 192.168.1.0/24 to 10.0.2.0/24 for outbound packets. Depending on where exactly NAT is done relative to IPsec in your VPN device then A would either have security policy entries of the form :- 192.168.1.0/24 -> 10.0.2.0/24 via 1.1.1.1 or :- 10.0.1.0/24 -> 10.0.2.0/24 via 1.1.1.1 VPN is sponsored by SecurityFocus.com From natasha at espace.net Wed Jul 10 20:45:46 2002 From: natasha at espace.net (Natasha Smith) Date: Wed, 10 Jul 2002 17:45:46 -0700 Subject: Fwd: [vpn] Site-to-site VPNs to same networks Message-ID: <5.1.0.14.2.20020710174355.032d2150@mail.espace.net> >=?iso-8859-1?Q?Siddhartha_Jain?= writes: > > I need to establish site-to-site IPSec tunnels to > > remote networks whose IP addressing is not determined > > by me. These networks might use the same IP address > > pools for their LANs. > > > > How do I configure my VPN device in such a scenario? > >Generally the answer is you don't unless you are prepared to renumber >the networks. One other point -- if you do this, you are using private addresses outside your private network. In other words, you are "violating" RFC 1918. This observation works, once in a while, to explain why this shouldn't be done. VPN is sponsored by SecurityFocus.com From Travis.Watson at Honeywell.com Wed Jul 10 21:09:12 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Wed, 10 Jul 2002 18:09:12 -0700 Subject: [vpn] Seeking low cost hardware VPN solutions Message-ID: Ryan, Can those things NAT internal to the device? I know Linksys' low-end version can't and, for $130, it might be a tall order. It also might be a mute point for Daniel, but just in case his IP space is limited... For $130 though, that sounds like a pretty decent product. Have you used it? Thanks, Travis -----Original Message----- From: Ryan Malayter [mailto:rmalayter at bai.org] Sent: Wednesday, July 10, 2002 2:53 PM To: vpn at securityfocus.com Subject: RE: [vpn] Seeking low cost hardware VPN solutions http://www.cdw.com/shop/products/default.asp?EDC=378498 Will do what you need for about $130 per site -----Original Message----- From: Daniel M. Vance [mailto:daniel at vancesystems.com] Sent: Wednesday, July 10, 2002 1:43 PM To: VPN-List Subject: [vpn] Seeking low cost hardware VPN solutions I'm looking for an inexpensive "Hardware" VPN solution for a small company which has three business locations in three different cities. Site 1 - Has two PCs - On a peer-to-peer LAN Site 2 - Has four PCs - On a peer-to-peer LAN Site 3 - Headquarters - Has six PCs - On a Windows 2000 server LAN Does anyone on this list have experience with a similar VPN or can direct me to Internet resources for hardware based VPNs, e.g. comparison of available systems. Thank you, in advance Daniel Vance --- Daniel M. Vance & Associates Ph(520)797-2225 Fax(520)297-0348 mailto:daniel at vancesystems.com http://www.vancesystems.com http://www.vancesystems.com/scuba Tucson, Arizona USA VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From danny at stallion.oz.au Wed Jul 10 21:24:03 2002 From: danny at stallion.oz.au (Danny Smith) Date: Thu, 11 Jul 2002 11:24:03 +1000 Subject: [vpn] Site-to-site VPNs to same networks In-Reply-To: <15660.53527.243358.298017@apathy.etunnels.com> Message-ID: Hi all, For what it's worth, the our ePipe product I mentioned a week or so ago supports NAT at this point, on a client side E2B-IPSec tunnel to another ePipe. Cheers, Danny > -----Original Message----- > From: Stephen J Bevan [mailto:stephen at etunnels.com] > Sent: Thursday, 11 July 2002 10:28 AM > To: Siddhartha Jain > Cc: vpn at securityfocus.com > Subject: [vpn] Site-to-site VPNs to same networks > > > =?iso-8859-1?Q?Siddhartha_Jain?= writes: > > I need to establish site-to-site IPSec tunnels to > > remote networks whose IP addressing is not determined > > by me. These networks might use the same IP address > > pools for their LANs. > > > > How do I configure my VPN device in such a scenario? > > Generally the answer is you don't unless you are prepared to renumber > the networks. > > However, you can make it work if :- > > * both VPN devices are support NAT at the right point in the stack. > > * you can get the cooperation of the person setting up the VPN at the > remote network to install some NAT rules on the VPN device. > > * you don't need to support any protocols that break if they are run > over NAT. > > For example, assume you have two sites A and B which use the same > private range (192.168.1.0/24) :- > > A B > 192.168.1.0/24 : 1.1.1.1 --- internet --- 2.2.2.2 : 192.168.1.0/24 > > If you can agree on some address space that neither side are using > then you can NAT each private range to a new range. Assuming that > 10.0.0.0/16 is free then we'd have the following mappings :- > > A = 192.168.1.0/24 <-> 10.0.1.0/24 > B = 192.168.2.0/24 <-> 10.0.2.0/24 > > So if A wants to send traffic to B then it is addressed to 10.0.2.0/24. > To make sure that B can reply, A must do source NAT for outbound > packets so that although the packet is coming from 192.168.1.0/24, B > will see it as coming from from 10.0.1.0/24. Similarly B does source > NAT of 192.168.1.0/24 to 10.0.2.0/24 for outbound packets. > > Depending on where exactly NAT is done relative to IPsec in your VPN > device then A would either have security policy entries of the form :- > > 192.168.1.0/24 -> 10.0.2.0/24 via 1.1.1.1 > > or :- > > 10.0.1.0/24 -> 10.0.2.0/24 via 1.1.1.1 > > VPN is sponsored by SecurityFocus.com > > > VPN is sponsored by SecurityFocus.com From james at heague.com.au Wed Jul 10 21:36:21 2002 From: james at heague.com.au (James McNeill) Date: Thu, 11 Jul 2002 11:36:21 +1000 Subject: [vpn] windows VPN clients Message-ID: <001001c2287b$5e966c00$0f00a8c0@james> William HeagueHi all. Does anyone know of any open source/freeware/public domain VPN clients for the win 9x or NT platform? or should we just get another Linux box? ta -James William Heague Barristers & Solicitors VPN is sponsored by SecurityFocus.com From Travis.Watson at Honeywell.com Wed Jul 10 21:47:29 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Wed, 10 Jul 2002 18:47:29 -0700 Subject: [vpn] windows VPN clients Message-ID: PGP/GPG is your best bet. http://www.pgpi.org -----Original Message----- From: James McNeill [mailto:james at heague.com.au] Sent: Wednesday, July 10, 2002 6:36 PM To: vpn at securityfocus.com Subject: [vpn] windows VPN clients William HeagueHi all. Does anyone know of any open source/freeware/public domain VPN clients for the win 9x or NT platform? or should we just get another Linux box? ta -James William Heague Barristers & Solicitors VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From mcse4dave at HotPOP.com Wed Jul 10 21:56:18 2002 From: mcse4dave at HotPOP.com (Dave) Date: Wed, 10 Jul 2002 18:56:18 -0700 Subject: [vpn] windows VPN clients References: <001001c2287b$5e966c00$0f00a8c0@james> Message-ID: <018001c2287e$26890720$0201a8c0@house> Hi James, You don't mention what you are going to use as a VPN server - seems to make a difference, lots of folks recommend that the server and client match... but who knows? There are many free VPN clients available on the web...but here is something new from M$ - a FREE Windows L2TP/IPSec VPN Client http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpcl ient.asp Dave ----- Original Message ----- From: "James McNeill" To: Sent: Wednesday, July 10, 2002 6:36 PM Subject: [vpn] windows VPN clients William HeagueHi all. Does anyone know of any open source/freeware/public domain VPN clients for the win 9x or NT platform? or should we just get another Linux box? ta -James William Heague Barristers & Solicitors VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From munix-1 at pacbell.net Wed Jul 10 23:35:40 2002 From: munix-1 at pacbell.net (Jose Muniz) Date: Wed, 10 Jul 2002 20:35:40 -0700 Subject: [vpn] Site-to-site VPNs to same networks References: <20020710132142.18907.qmail@web12706.mail.yahoo.com> Message-ID: <3D2CFD0C.3050407@pacbell.net> Need to get 2 blocks of space that do not overlap, that are neutral to both parties [if that is that case] Then, you will need to staticaly translate 1:1/any_mask on both ends, that will solve the big problem [routing] The more technical details are that you obviously want to perform the xlate operation of the source IP on your egress traffic before ESP, for ingress traffic you do the destination translations. all L3 stuff here. The other big problem: Only you know! It is the apps and protocols that you need to teleport across, the problem then might be with poorly writen applications like you know.. The complexity of geting it done resides on the gear that you use. Some fiewalls do this [Netscreens], just like that! out of the box with a little config and doing the work on an asic/ jOse. Siddhartha Jain wrote: > Hi, > > I need to establish site-to-site IPSec tunnels to > remote networks whose IP addressing is not determined > by me. These networks might use the same IP address > pools for their LANs. > > How do I configure my VPN device in such a scenario? > > Regards, > > Siddhartha > > __________________________________________________ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From d97red at dtek.chalmers.se Thu Jul 11 05:10:10 2002 From: d97red at dtek.chalmers.se (Redjamand Kejvan) Date: Thu, 11 Jul 2002 11:10:10 +0200 (MEST) Subject: [vpn] VPN with Cisco 3000 - client denied tunnel by server Message-ID: Hi everyone! I've exprienced difficulties with a Cisco's VPN client while trying to = make IPSEC tunnels to a VPN 3015 Concentrator. Authenticatin method is Radius. The radius server has been tested by the concentrators built-in test function and is OK. On the VPN server = (concentrator) logs first I see the user getting authenticated (but) = immediately the tunnel is rejected, (it generates an athentication = failde error message on the client although the failure is after being = authenticated by radius server). The Concentrator logs show misconfigured filter and tunnel is rejected.=20 The question is which filter is misconfigured and where? I've tried = changing the default private and public filter which are aplied on the = interfaces, change firewalls on clients,....! I don't know if the error message gives any reliable information. Has = anybody had similar experiences?=20 Both Win 2000 and Linux Clients show the same problem. Win 2000 client logs: 1 23:44:22.042 07/09/02 Sev=3DWarning/3 IKE/0xE3000060 The XAUTH authentication failed. 2 23:44:23.805 07/09/02 Sev=3DWarning/3 DIALER/0xE3300015 GI VPN start callback failed "CM_IKE_ESTABLISH_FAILED_AUTH" (19h). The Concentrator's log: > Jul 10 11:45:15 vpnserver.com 18356 07/10/2002 11:45:15.820 SEV=3D4 = > IKE/52 RPT=3D60 146.1.224.45 Group [Group] User [user] User = > (user at realm) authenticated. > Jul 10 11:45:15 vpnserver.com 18357 07/10/2002 11:45:15.820 SEV=3D4 = > IKE/0 RPT=3D75 146.1.224.45 Group [Group] User [user] User tunnel = > rejected: misconfigured filter parameters! > Jul 10 11:45:15 vpnserver.com 18379 07/10/2002 11:45:15.820 SEV=3D5 = > IKE/50 RPT=3D98 146.1.224.45 Group [Group] User [user] Connection = > terminated for peer user at realm (Peer Terminate) Remote Proxy N/A, = > Local Proxy N/A > Jul 10 13:46:20 vpnserver.com 43649 07/10/2002 13:46:19.330 SEV=3D6 = > AUTH/4 RPT=3D7 146.1.224.45 Authentication successful: handle =3D 355, = > server =3D radiusserver, user =3D user at realm > Jul 10 13:46:20 vpnserver.com 43743 07/10/2002 13:46:19.530 SEV=3D4 = > IKE/52 RPT=3D62 146.1.224.45 Group [Group] User [user] User = > (user at realm) authenticated. > Jul 10 13:46:20 vpnserver.com 43744 07/10/2002 13:46:19.530 SEV=3D4 = > IKE/0 RPT=3D76 146.1.224.45 Group [Group] User [user] User tunnel = > rejected: misconfigured filter parameters! > Jul 10 13:46:20 vpnserve.comr 43766 07/10/2002 13:46:19.530 SEV=3D5 = > IKE/50 RPT=3D101 146.1.224.45 Group [Group] User [user] Connection = > terminated for peer user at realm (Peer Terminate) Remote Proxy N/A, Local= > Proxy N/A Thanks. // Kejvan VPN is sponsored by SecurityFocus.com From sandy at storm.ca Thu Jul 11 19:07:34 2002 From: sandy at storm.ca (Sandy Harris) Date: Thu, 11 Jul 2002 16:07:34 -0700 Subject: [vpn] Seeking low cost hardware VPN solutions References: <3D2C8050.B3FFCF75@vancesystems.com> Message-ID: <3D2E0FB6.B3F4DD54@storm.ca> "Daniel M. Vance" wrote: > > I'm looking for an inexpensive "Hardware" VPN solution for a small > company which has three business locations in three different cities. > > Site 1 - Has two PCs - On a peer-to-peer LAN > > Site 2 - Has four PCs - On a peer-to-peer LAN > > Site 3 - Headquarters - Has six PCs - On a Windows 2000 server LAN > > Does anyone on this list have experience with a similar VPN or can > direct me to Internet resources for hardware based VPNs, e.g. comparison > of available systems. Of course you can do this with a two-NIC PC for each site and Linux or one of the BSD's. A surplus 200 Mhz machine is likely more than enough. See: http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/faq.html#faq.speed However, if your administrators aren't comfortable with Unix, or if you'd just prefer not to have to administer such boxes, there are lots of packaged solutions. Quite a few of them use Linux, with FreeS/WAN for the VPN. There's a list at: http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/intro.html#turnkey Of course, those are just the ones the project knows about. Quite possibly some of the other turnkey hardware uses the same code, or the *BSD stuff, but does not publicise that. VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Thu Jul 11 14:05:38 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Thu, 11 Jul 2002 13:05:38 -0500 Subject: [vpn] Seeking low cost hardware VPN solutions Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187FD74@mail.bai.org> We've set up a couple of them for some of our home users... The firewall isn't the best, of course, but it will do NAT. The IPsec VPN is fast enough to saturate the Cable/DSL connections the users have. -----Original Message----- From: Watson, Travis [mailto:Travis.Watson at Honeywell.com] Sent: Wednesday, July 10, 2002 8:09 PM To: Ryan Malayter Cc: vpn at securityfocus.com Subject: RE: [vpn] Seeking low cost hardware VPN solutions Ryan, Can those things NAT internal to the device? I know Linksys' low-end version can't and, for $130, it might be a tall order. It also might be a mute point for Daniel, but just in case his IP space is limited... For $130 though, that sounds like a pretty decent product. Have you used it? Thanks, Travis -----Original Message----- From: Ryan Malayter [mailto:rmalayter at bai.org] Sent: Wednesday, July 10, 2002 2:53 PM To: vpn at securityfocus.com Subject: RE: [vpn] Seeking low cost hardware VPN solutions http://www.cdw.com/shop/products/default.asp?EDC=378498 Will do what you need for about $130 per site -----Original Message----- From: Daniel M. Vance [mailto:daniel at vancesystems.com] Sent: Wednesday, July 10, 2002 1:43 PM To: VPN-List Subject: [vpn] Seeking low cost hardware VPN solutions I'm looking for an inexpensive "Hardware" VPN solution for a small company which has three business locations in three different cities. Site 1 - Has two PCs - On a peer-to-peer LAN Site 2 - Has four PCs - On a peer-to-peer LAN Site 3 - Headquarters - Has six PCs - On a Windows 2000 server LAN Does anyone on this list have experience with a similar VPN or can direct me to Internet resources for hardware based VPNs, e.g. comparison of available systems. Thank you, in advance Daniel Vance --- Daniel M. Vance & Associates Ph(520)797-2225 Fax(520)297-0348 mailto:daniel at vancesystems.com http://www.vancesystems.com http://www.vancesystems.com/scuba Tucson, Arizona USA VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Joel.Snyder at Opus1.COM Fri Jul 12 13:43:53 2002 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Fri, 12 Jul 2002 10:43:53 -0700 (MST) Subject: [vpn] Network World upcoming review of VPN Remote Access products Message-ID: <01KK06D7ACP69ED93D@Opus1.COM> Network World will be reviewing VPN Remote Access products. Vendors who are interested in participating should read the invitation at: jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Fri Jul 12 15:31:23 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Fri, 12 Jul 2002 14:31:23 -0500 Subject: [vpn] Seeking low cost hardware VPN solutions Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187FD8A@mail.bai.org> It's more like this: 10.2.x.x 10.2.0.1|66.77.114.11 CorpLAN<-------->CorpNAT/Firewall / / IPsec VPN / / / UserNAT/Firewall<--------->USerLAN |10.3.1.1 10.3.1.x So the remote firewall device has an IPsec shared-secret security agreement for traffic bound for 10.2.x.x (a private IP scheme for the corporate LAN), and the corporate firewall is configured to allow a tunnel with that particular shared secret. IP traffic bound from the user's private 10.3.1.x subnet gets routed through the IPsec tunnel right at their firewall, without being NATed. That is, decrypted traffic on the corporate LAN side coming from the remote user still has the 10.3.1.x source address. Traffic flowing from the corporate LAN to the remote site behaves similarly. The IPsec packets themselves only flow between the two public external addresses on each firewall, so NAT/IPsec compatibility really isn't an issue. I've actually only set this up only with SonicWall TELE2 firewalls at the remote site, although a coworker of mine has set them up other users the cheaper NetGEAR devices I described below. HTH, Ryan -----Original Message----- From: Watson, Travis [mailto:Travis.Watson at Honeywell.com] Sent: Friday, July 12, 2002 12:58 PM To: Ryan Malayter Subject: RE: [vpn] Seeking low cost hardware VPN solutions No kidding? So you give your home users an IP to NAT to and the device NAT's internally to it when going through the tunnel? --Travis -----Original Message----- From: Ryan Malayter [mailto:rmalayter at bai.org] Sent: Thursday, July 11, 2002 11:06 AM To: vpn at securityfocus.com Subject: RE: [vpn] Seeking low cost hardware VPN solutions We've set up a couple of them for some of our home users... The firewall isn't the best, of course, but it will do NAT. The IPsec VPN is fast enough to saturate the Cable/DSL connections the users have. -----Original Message----- From: Watson, Travis [mailto:Travis.Watson at Honeywell.com] Sent: Wednesday, July 10, 2002 8:09 PM To: Ryan Malayter Cc: vpn at securityfocus.com Subject: RE: [vpn] Seeking low cost hardware VPN solutions Ryan, Can those things NAT internal to the device? I know Linksys' low-end version can't and, for $130, it might be a tall order. It also might be a mute point for Daniel, but just in case his IP space is limited... For $130 though, that sounds like a pretty decent product. Have you used it? Thanks, Travis -----Original Message----- From: Ryan Malayter [mailto:rmalayter at bai.org] Sent: Wednesday, July 10, 2002 2:53 PM To: vpn at securityfocus.com Subject: RE: [vpn] Seeking low cost hardware VPN solutions http://www.cdw.com/shop/products/default.asp?EDC=378498 Will do what you need for about $130 per site -----Original Message----- From: Daniel M. Vance [mailto:daniel at vancesystems.com] Sent: Wednesday, July 10, 2002 1:43 PM To: VPN-List Subject: [vpn] Seeking low cost hardware VPN solutions I'm looking for an inexpensive "Hardware" VPN solution for a small company which has three business locations in three different cities. Site 1 - Has two PCs - On a peer-to-peer LAN Site 2 - Has four PCs - On a peer-to-peer LAN Site 3 - Headquarters - Has six PCs - On a Windows 2000 server LAN Does anyone on this list have experience with a similar VPN or can direct me to Internet resources for hardware based VPNs, e.g. comparison of available systems. Thank you, in advance Daniel Vance --- Daniel M. Vance & Associates Ph(520)797-2225 Fax(520)297-0348 mailto:daniel at vancesystems.com http://www.vancesystems.com http://www.vancesystems.com/scuba Tucson, Arizona USA VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From jtixthus at attbi.com Sat Jul 13 14:24:48 2002 From: jtixthus at attbi.com (Jim Terry) Date: Sat, 13 Jul 2002 11:24:48 -0700 Subject: [vpn] VPN with Cisco 3000 - client denied tunnel by server References: Message-ID: <002d01c22a9a$929d7cc0$0200a8c0@jtxixngte70fxo> Are your clients behind a firewall? If so try checking the Enable Transparent Tunnelling button on the clients. JT ----- Original Message ----- From: "Redjamand Kejvan" To: Cc: Sent: Thursday, July 11, 2002 2:10 AM Subject: [vpn] VPN with Cisco 3000 - client denied tunnel by server > Hi everyone! > > I've exprienced difficulties with a Cisco's VPN client while trying to = > make IPSEC tunnels to a VPN 3015 Concentrator. > Authenticatin method is Radius. The radius server has been tested by the > > concentrators built-in test function and is OK. On the VPN server = > (concentrator) logs first I see the user getting authenticated (but) = > immediately the tunnel is rejected, (it generates an athentication = > failde error message on the client although the failure is after being = > authenticated by radius server). > The Concentrator logs show misconfigured filter and tunnel is > rejected.=20 > The question is which filter is misconfigured and where? I've tried = > changing the default private and public filter which are aplied on the = > interfaces, change firewalls on clients,....! > I don't know if the error message gives any reliable information. Has = > anybody had similar experiences?=20 > > Both Win 2000 and Linux Clients show the same problem. > > Win 2000 client logs: > 1 23:44:22.042 07/09/02 Sev=3DWarning/3 IKE/0xE3000060 > The XAUTH authentication failed. > 2 23:44:23.805 07/09/02 Sev=3DWarning/3 DIALER/0xE3300015 > GI VPN start callback failed "CM_IKE_ESTABLISH_FAILED_AUTH" (19h). > > The Concentrator's log: > > > Jul 10 11:45:15 vpnserver.com 18356 07/10/2002 11:45:15.820 SEV=3D4 = > > IKE/52 RPT=3D60 146.1.224.45 Group [Group] User [user] User = > > (user at realm) authenticated. > > Jul 10 11:45:15 vpnserver.com 18357 07/10/2002 11:45:15.820 SEV=3D4 = > > IKE/0 RPT=3D75 146.1.224.45 Group [Group] User [user] User tunnel = > > rejected: misconfigured filter parameters! > > Jul 10 11:45:15 vpnserver.com 18379 07/10/2002 11:45:15.820 SEV=3D5 = > > IKE/50 RPT=3D98 146.1.224.45 Group [Group] User [user] Connection = > > terminated for peer user at realm (Peer Terminate) Remote Proxy N/A, = > > Local Proxy N/A > > Jul 10 13:46:20 vpnserver.com 43649 07/10/2002 13:46:19.330 SEV=3D6 = > > AUTH/4 RPT=3D7 146.1.224.45 Authentication successful: handle =3D 355, > = > > server =3D radiusserver, user =3D user at realm > > Jul 10 13:46:20 vpnserver.com 43743 07/10/2002 13:46:19.530 SEV=3D4 = > > IKE/52 RPT=3D62 146.1.224.45 Group [Group] User [user] User = > > (user at realm) authenticated. > > Jul 10 13:46:20 vpnserver.com 43744 07/10/2002 13:46:19.530 SEV=3D4 = > > IKE/0 RPT=3D76 146.1.224.45 Group [Group] User [user] User tunnel = > > rejected: misconfigured filter parameters! > > Jul 10 13:46:20 vpnserve.comr 43766 07/10/2002 13:46:19.530 SEV=3D5 = > > IKE/50 RPT=3D101 146.1.224.45 Group [Group] User [user] Connection = > > terminated for peer user at realm (Peer Terminate) Remote Proxy N/A, Local= > > Proxy N/A > > Thanks. > > // Kejvan > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From marie at vtl.ee Sun Jul 14 20:14:53 2002 From: marie at vtl.ee (Marie Fischer) Date: Mon, 15 Jul 2002 03:14:53 +0300 Subject: [vpn] Seeking low cost hardware VPN solutions Message-ID: <85A3B76C8A41764B8DBA7D799A200280D30F@nts.vtl.ee> > SmoothWall SmoothWall SmoothWall > http://www.smoothwall.co.uk quoting from http://www.smoothwall.co.uk/products/corporateserver/, it seems like they are trying to use jedi mind tricks to make me believe a linux box is a hardware firewall: "Corporate Server turns a PentiumT class PC into a dedicated hardware firewall providing 'True Security'. Based on its own operating system, a heavily cut-down version of Linux, it does not suffer from the underlying security weaknesses of general-purpose operating systems. To quote from the June 2001 issue of PC Plus, 'A software firewall is far from a perfect solution. Thanks to the loopholes and limitations present in all versions of Windows, you'll never be 100 per cent secure from someone who wants to penetrate your system, unless your connection runs through a hardware firewall device.' " correct me if i'm wrong, but until now i thought "hardware device" means there's some specialized hardware in it, though i realize quite a few of those boxes are actually running linux/bsd... -- marie VPN is sponsored by SecurityFocus.com From Stephen.Hope at energis.com Mon Jul 15 07:31:16 2002 From: Stephen.Hope at energis.com (Stephen Hope) Date: Mon, 15 Jul 2002 12:31:16 +0100 Subject: [vpn] Site-to-site VPNs to same networks Message-ID: <73BE32DA9E55D511ACF30050BAEA048702A8E9C6@eisemail.energis.co.uk> Tina, I have built a couple of "extranet" style systems like this over the couple of years, for remote monitoring and for travel, so I stumbled across the same issue. The solution we came up with is to design out the problem. In the systems I was involved in, all the customers had to talk to common central servers. It isnt well known, but the Internet address allocation rules do not require that you use allocated address space for an Internet connected network - all you need is a justification for needing unique addresses - and this kind of requirement is a classic use of such. So, we got some Internet allocated address space and used that for the common network. That way, anyone who conflicts trying to use address space we "own", so they need to change. Stephen -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Wednesday, July 10, 2002 9:09 PM To: Watson, Travis Cc: 'Siddhartha Jain'; vpn at securityfocus.com Subject: RE: [vpn] Site-to-site VPNs to same networks The way I read Siddhartha's message, he is concerned that the >internal< networks are addressed out of the same range. If that's the case, the use of the external address isn't going to fix things -- because there's no way to do the routing. Remember that the local system has to know to send traffic destined for the remote private network to the VPN gateway. If the both the local and remote LANs are addressed from, say, 192.168.16.0/24, there's no way to route. The answer there being, co-operation between network admins on both sides. Oh joy. I've been looking for a better answer for years, but no luck. tbird "The road of excess leads to the palace of wisdom." William Blake, "Proverbs of Hell" http://www.shmoo.com/~tbird Log Analysis http://www.counterpane.com/log-analysis.html VPN http://vpn.shmoo.com On Wed, 10 Jul 2002, Watson, Travis wrote: > Siddhartha, > > I'm not quite sure what you are asking, but it sounds like you just have to ask the distant end what IP address they are > using as an outside interface. Presumably, that is not going to be difficult, but I don't know if you have a contact at > the distant end. > > Regarding your second concern, the endpoint IP address (outside interface) can't be in the same subnet as the LAN it is > protecting. If you have limited IP space, you can use the public IPs for external interfaces and give 10.x.x.x and/or > 192.168.x.x to the internal nets. Then have the internal nets NAT to a smaller, public IP range when going across the > tunnel so you can route them on either side. > > Hope that helps. > > --Travis > > -----Original Message----- > From: Siddhartha Jain [mailto:losttoy2000 at yahoo.co.uk] > Sent: Wednesday, July 10, 2002 6:22 AM > To: vpn at securityfocus.com > Subject: [vpn] Site-to-site VPNs to same networks > > > Hi, > > I need to establish site-to-site IPSec tunnels to > remote networks whose IP addressing is not determined > by me. These networks might use the same IP address > pools for their LANs. > > How do I configure my VPN device in such a scenario? > > Regards, > > Siddhartha > > __________________________________________________ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com ******************************************************************************************************** This e-mail is from Energis plc, 50 Victoria Embankment, London, EC4Y 0DE, United Kingdom, No: 2630471. This e-mail is confidential to the addressee and may be privileged. The views expressed are personal and do not necessarily reflect those of Energis. If you are not the intended recipient please notify the sender immediately by calling our switchboard on +44 (0) 20 7206 5555 and do not disclose to another person or use, copy or forward all or any of it in any form. ******************************************************************************************************** VPN is sponsored by SecurityFocus.com From arbromley41 at hotmail.com Mon Jul 15 04:47:52 2002 From: arbromley41 at hotmail.com (adrian bromley) Date: 15 Jul 2002 08:47:52 -0000 Subject: [vpn] vpn 827 to 827 Message-ID: <20020715084752.31229.qmail@mail.securityfocus.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20020715/32dbd7dd/attachment.txt From listsmurf at ur.nl Mon Jul 15 03:14:34 2002 From: listsmurf at ur.nl (Jonathan (Listserv)) Date: Mon, 15 Jul 2002 09:14:34 +0200 Subject: [vpn] Seeking low cost hardware VPN solutions In-Reply-To: <85A3B76C8A41764B8DBA7D799A200280D30F@nts.vtl.ee> Message-ID: > 'A software firewall is far from a perfect solution. Thanks to the > loopholes and limitations present in all versions of Windows, you'll > never be 100 per cent secure from someone who wants to penetrate > your system, unless your connection runs through a hardware firewall > device.' " > > correct me if i'm wrong, but until now i thought "hardware device" means > there's some specialized hardware in it, though i realize quite a few of > those boxes are actually running linux/bsd... It is definitely not a firewall appliance with specialized ASICs, such as the NetScreen, SonicWall and similar products. But it is a dedicated firewall with a minimal Linux system, tuned for firewall duty and nothing else. Compare that to their definition of a software firewall, which seems to be Checkpoint or a similar product on a Windows system, and you've got your 'dedicated hardware firewall'. Still think that sales came up with it, but hey... Although I would phrase it differently, it is a valid selling point for their product. Cya, Jonathan VPN is sponsored by SecurityFocus.com From schwenke-vpn-list at orakel.ntnu.no Mon Jul 15 10:22:59 2002 From: schwenke-vpn-list at orakel.ntnu.no (Eirik Schwenke) Date: Mon, 15 Jul 2002 16:22:59 +0200 (CEST) Subject: [vpn] Clarification on key-negotiation and security of ipsec In-Reply-To: <01KK06D7ACP69ED93D@Opus1.COM> Message-ID: Hi, does anyone know how knowledge of preshared secrets and/or knowledge of private keys using certificate- based authentication affects the security of ipsec ? That is: if an attacker knows the pre-shared secret/ or the private key of _one_ of the parties negotiating a vpn-connection, and is able to listen to the traffic -- will that attacker be able to calculate the session-keys used for encryption ? It is my understanding that a passive attacker would _not_ be able to calculate the session keys, and listen to the encrypted traffic -- is this correct ? -- Eirik Schwenke "Eat right, exercise regularly, die anyway." VPN is sponsored by SecurityFocus.com From natasha at espace.net Mon Jul 15 12:10:46 2002 From: natasha at espace.net (Natasha Smith) Date: Mon, 15 Jul 2002 09:10:46 -0700 Subject: Fwd: [vpn] Clarification on key-negotiation and security of ipsec Message-ID: <5.1.0.14.2.20020715085627.02e2a9d0@mail.espace.net> I believe that because of the cookie mechanism (also called nonces -- apologies to my UK friends) you could not figure it out because you would not have enough information. I would not trust that, though. I think the protections against replay attack would cover this. The thing that would definitely be bad is that the attacker could connect to the other end pretending to be you. And, your certificate would be compromised which would mean you'd need to get it revoked. >does anyone know how knowledge of preshared secrets >and/or knowledge of private keys using certificate- >based authentication affects the security of >ipsec ? > >That is: if an attacker knows the pre-shared secret/ or >the private key of _one_ of the parties negotiating a >vpn-connection, and is able to listen to the traffic -- >will that attacker be able to calculate the session-keys >used for encryption ? > >It is my understanding that a passive attacker would _not_ >be able to calculate the session keys, and listen to the >encrypted traffic -- is this correct ? VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Mon Jul 15 13:44:35 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Mon, 15 Jul 2002 12:44:35 -0500 Subject: [vpn] Clarification on key-negotiation and security of ipsec Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187FD9B@mail.bai.org> Hmm... I would think it depends upon how much of the conversation the attacker could sniff off the wire. In either compromise scenario you propose, I believe the attacker would be able to decrypt traffic if he could listen to the initial key exchange and had either the preshared secret or one of the private keys. (I the single private key case, I think it would depend on which key was compromised, the initiator or the authenticator, but we have to assume worst case.) Wouldn't this have to true? I mean, all the *authorized* endpoint really has at the start of a conversation is its preshared secret or private key. If it wasn't possible to decrypt the conversation with just this information, how would the VPN ever work in the first place? -ryan- -----Original Message----- From: Natasha Smith [mailto:natasha at espace.net] Sent: Monday, July 15, 2002 11:11 AM To: vpn at securityfocus.com Subject: Fwd: [vpn] Clarification on key-negotiation and security of ipsec I believe that because of the cookie mechanism (also called nonces -- apologies to my UK friends) you could not figure it out because you would not have enough information. I would not trust that, though. I think the protections against replay attack would cover this. The thing that would definitely be bad is that the attacker could connect to the other end pretending to be you. And, your certificate would be compromised which would mean you'd need to get it revoked. >does anyone know how knowledge of preshared secrets >and/or knowledge of private keys using certificate- >based authentication affects the security of >ipsec ? > >That is: if an attacker knows the pre-shared secret/ or >the private key of _one_ of the parties negotiating a >vpn-connection, and is able to listen to the traffic -- >will that attacker be able to calculate the session-keys >used for encryption ? > >It is my understanding that a passive attacker would _not_ >be able to calculate the session keys, and listen to the >encrypted traffic -- is this correct ? VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From evyncke at cisco.com Tue Jul 16 02:30:59 2002 From: evyncke at cisco.com (Eric Vyncke) Date: Tue, 16 Jul 2002 08:30:59 +0200 Subject: [vpn] vpn 827 to 827 In-Reply-To: <20020715084752.31229.qmail@mail.securityfocus.com> Message-ID: <4.3.2.7.2.20020716082404.020a7748@brussels.cisco.com> At 08:47 15/07/2002 +0000, adrian bromley wrote: >In-Reply-To: <000f01c1f6af$48e52110$051ea8c0 at win2000> > >james, > >I have EXACTLY the same problem - on same hardware. Did you ever get this >going? If so, what was the solution? This is not a problem ;-) (even if I must admit that message could be improved!) The situation happens when your remote access (in your case probably a ADSL emulated PPP) interface (aka dialer) is using a dynamic IP address allocated by your ISP. In this case, the router has no IP address on the dialer interface until the PPP line is brought up. So, if you decide to encrypt traffic going over this dialer interface which is still down, IKE wants to send a phase packet to the IKE peer, but, as IKE does not know yet its own IP address (remember dialer line is still down), it will use 0.0.0.0 as a source IP address (hence the term of 'bogus packet'). This packet will cause the dialer classification (the dialer ACL) to start the PPP interface in order to get an IP address and then be able to send actual IKE packets with the dynamically allocated IP address. NB: the packet with source 0.0.0.0 is NOT sent on the line. BOTTOM LINE: this is normal and expected behavior when using a dynamically allocated IP address. BUT, in your case, you seem to have this message repeated multiple times every 2 seconds... this indicates that the dialer interface is never receiving an IP address from your ISP. -eric > >00:17:16: IPSEC(sa_initiate): Sending bogus packet to dialer for > >classification. > >00:17:18: IPSEC(sa_initiate): Sending bogus packet to dialer for > >classification. > >00:17:20: IPSEC(sa_initiate): Sending bogus packet to dialer for > >classification. > >00:17:22: IPSEC(sa_initiate): Sending bogus packet to dialer for > >classification. > >00:17:24: IPSEC(sa_initiate): Sending bogus packet to dialer for > >classification > >VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From evyncke at cisco.com Tue Jul 16 02:23:01 2002 From: evyncke at cisco.com (Eric Vyncke) Date: Tue, 16 Jul 2002 08:23:01 +0200 Subject: [vpn] Clarification on key-negotiation and security of ipsec In-Reply-To: References: <01KK06D7ACP69ED93D@Opus1.COM> Message-ID: <4.3.2.7.2.20020716082040.0204ca00@brussels.cisco.com> Eirik, Even if the credentials are known to a passive attacker (only sniffing, never sending), you will be safe because you will rely on the Diffie-Hellman key exchange. The pre-shared key or cert is used ONLY for authentication not for encryption. In reality, as D-H is susceptible to a man in the middle attack (where the attacker is active), without an authenticated D-H, you will get no confidential as well. But, in your passive attacker case, you are safe -eric At 16:22 15/07/2002 +0200, Eirik Schwenke wrote: >Hi, > >does anyone know how knowledge of preshared secrets >and/or knowledge of private keys using certificate- >based authentication affects the security of >ipsec ? > >That is: if an attacker knows the pre-shared secret/ or >the private key of _one_ of the parties negotiating a >vpn-connection, and is able to listen to the traffic -- >will that attacker be able to calculate the session-keys >used for encryption ? > >It is my understanding that a passive attacker would _not_ >be able to calculate the session keys, and listen to the >encrypted traffic -- is this correct ? > >-- >Eirik Schwenke > >"Eat right, exercise regularly, die anyway." > > > >VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From ted at tenable.com Tue Jul 16 09:58:40 2002 From: ted at tenable.com (Ted) Date: Tue, 16 Jul 2002 09:58:40 -0400 Subject: [vpn] Beginner question Message-ID: What do I need hardware wise to initiate a VPN. I have a 10 station windows 98 and Win2000pro mixture. I just had a T1 line installed at the Corporate side. What do I need at corporate and what do I need at the branch. I also want to go out to individual customers and collect information from them. I am planning to install a win2K server at corporate. Any guidence would be appreciated. ted VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Tue Jul 16 11:23:25 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Tue, 16 Jul 2002 10:23:25 -0500 Subject: [vpn] Clarification on key-negotiation and security of ipsec Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187FDAE@mail.bai.org> After more reading, I see than you're correct, and my initial post was quite wrong: the preshared secret/private key are only used to authenticate the random Diffie-Hellman key pair used in an IKE key exchange. I was thinking that IKE similarly to PGP or S/MIME, where the private key is used to encrypt the session key directly. This is, of course, unnecessary (and actually undesirable for security reasons) in IKE, since the messages do not need to be decrypted after a long period of time like a mail message. -ryan- -----Original Message----- From: Eric Vyncke [mailto:evyncke at cisco.com] Sent: Tuesday, July 16, 2002 1:23 AM To: Eirik Schwenke Cc: vpn at securityfocus.com Subject: Re: [vpn] Clarification on key-negotiation and security of ipsec Eirik, Even if the credentials are known to a passive attacker (only sniffing, never sending), you will be safe because you will rely on the Diffie-Hellman key exchange. The pre-shared key or cert is used ONLY for authentication not for encryption. In reality, as D-H is susceptible to a man in the middle attack (where the attacker is active), without an authenticated D-H, you will get no confidential as well. But, in your passive attacker case, you are safe -eric At 16:22 15/07/2002 +0200, Eirik Schwenke wrote: >Hi, > >does anyone know how knowledge of preshared secrets >and/or knowledge of private keys using certificate- >based authentication affects the security of >ipsec ? > >That is: if an attacker knows the pre-shared secret/ or >the private key of _one_ of the parties negotiating a >vpn-connection, and is able to listen to the traffic -- >will that attacker be able to calculate the session-keys >used for encryption ? > >It is my understanding that a passive attacker would _not_ >be able to calculate the session keys, and listen to the >encrypted traffic -- is this correct ? > >-- >Eirik Schwenke > >"Eat right, exercise regularly, die anyway." > > > >VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From MikeK at M-V-T.COM Wed Jul 17 12:22:08 2002 From: MikeK at M-V-T.COM (Mike Kelley) Date: Wed, 17 Jul 2002 10:22:08 -0600 Subject: [vpn] Cisco VPN3.1 and Motorola data packet service Message-ID: <23D9870BAE04D611B6AE00024433740B388B8F@MVTMAIL> I am using Nextel for my cellular service and was just recently able to setup their packetstream gold service that allows for a 56k connection over a cell. Once connected I was unable to connect using the VPN software. Has anyone else conquered this issue/problem? Nextel said 3 to 9 weeks before this service would be available but that some users had figured out how to connect. Anyone here?? VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Wed Jul 17 15:28:58 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Wed, 17 Jul 2002 14:28:58 -0500 Subject: [vpn] Cisco VPN3.1 and Motorola data packet service Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187FDC2@mail.bai.org> Hmm... I had no trouble making PPTP connections over AT&T's digital packet service (didn't try IPsec). If NEXTEL's service is really just IP, without NAT, wouldn't any VPN client work? -----Original Message----- From: Mike Kelley [mailto:MikeK at M-V-T.COM] Sent: Wednesday, July 17, 2002 11:22 AM To: vpn at securityfocus.com Subject: [vpn] Cisco VPN3.1 and Motorola data packet service I am using Nextel for my cellular service and was just recently able to setup their packetstream gold service that allows for a 56k connection over a cell. Once connected I was unable to connect using the VPN software. Has anyone else conquered this issue/problem? Nextel said 3 to 9 weeks before this service would be available but that some users had figured out how to connect. Anyone here?? VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From MikeK at M-V-T.COM Wed Jul 17 16:59:50 2002 From: MikeK at M-V-T.COM (Mike Kelley) Date: Wed, 17 Jul 2002 14:59:50 -0600 Subject: [vpn] Cisco VPN3.1 and Motorola data packet service Message-ID: <23D9870BAE04D611B6AE00024433740B388B92@MVTMAIL> When I use the cell phones as a straight connection (dial my ISP @ 9600) I can use the VPN when I use the data compression connection the VPN doesn't work. The 9600 connection is to slow for my emulator program so I was hoping the data compression avenue might work. Mike Kelley Information Systems Manager Mesilla Valley Transportation http://www.M-V-T.com 3590 w. Picacho 88005 LC, NM cell 505-975-0556 work 505-524-2835 ext. 4266 -----Original Message----- From: Ryan Malayter [mailto:rmalayter at bai.org] Sent: Wednesday, July 17, 2002 1:29 PM To: Mike Kelley; vpn at securityfocus.com Subject: RE: [vpn] Cisco VPN3.1 and Motorola data packet service Hmm... I had no trouble making PPTP connections over AT&T's digital packet service (didn't try IPsec). If NEXTEL's service is really just IP, without NAT, wouldn't any VPN client work? -----Original Message----- From: Mike Kelley [mailto:MikeK at M-V-T.COM] Sent: Wednesday, July 17, 2002 11:22 AM To: vpn at securityfocus.com Subject: [vpn] Cisco VPN3.1 and Motorola data packet service I am using Nextel for my cellular service and was just recently able to setup their packetstream gold service that allows for a 56k connection over a cell. Once connected I was unable to connect using the VPN software. Has anyone else conquered this issue/problem? Nextel said 3 to 9 weeks before this service would be available but that some users had figured out how to connect. Anyone here?? VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Jul 17 20:02:38 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Thu, 18 Jul 2002 00:02:38 +0000 (GMT) Subject: [vpn] Moving Mailing List Message-ID: <20020718000150.U81722-100000@sisyphus.iocaine.com> Hi all -- As a consequence of the Symantec acquisition of SecurityFocus, I am moving the Log Analysis and VPN mailing lists to a non-commercial host. The list will be served by the machine sisyphus.iocaine.com and run by the Shmoo Group (http://www.shmoo.com), of which I am a part. I will of course continue to moderate. Please contact me directly if you have questions or concerns about this decision. I will update everyone with more information when we've got things ready to go. thanks very much -- Tina Bird "The road of excess leads to the palace of wisdom." William Blake, "Proverbs of Hell" http://www.shmoo.com/~tbird Log Analysis http://www.counterpane.com/log-analysis.html VPN http://vpn.shmoo.com VPN is sponsored by SecurityFocus.com From keithp at protectors.cc Wed Jul 17 20:19:09 2002 From: keithp at protectors.cc (Keith A. Pachulski, PPS, GCIH) Date: Wed, 17 Jul 2002 20:19:09 -0400 Subject: [vpn] Moving Mailing List In-Reply-To: <20020718000150.U81722-100000@sisyphus.iocaine.com> Message-ID: so this is the part that securityfocus falls apart? -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Wednesday, July 17, 2002 8:03 PM To: vpn at securityfocus.com Cc: tsg at shmoo.com Subject: [vpn] Moving Mailing List Hi all -- As a consequence of the Symantec acquisition of SecurityFocus, I am moving the Log Analysis and VPN mailing lists to a non-commercial host. The list will be served by the machine sisyphus.iocaine.com and run by the Shmoo Group (http://www.shmoo.com), of which I am a part. I will of course continue to moderate. Please contact me directly if you have questions or concerns about this decision. I will update everyone with more information when we've got things ready to go. thanks very much -- Tina Bird "The road of excess leads to the palace of wisdom." William Blake, "Proverbs of Hell" http://www.shmoo.com/~tbird Log Analysis http://www.counterpane.com/log-analysis.html VPN http://vpn.shmoo.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Jul 17 20:22:03 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Thu, 18 Jul 2002 00:22:03 +0000 (GMT) Subject: [vpn] Moving Mailing List In-Reply-To: Message-ID: <20020718002030.X81722-100000@sisyphus.iocaine.com> No, it's not meant as a vote of no confidence for SecurityFocus at all. I'm pleased that my friends have done so well for themselves. But Symantec and Counterpane (my employer) are both in the managed security market, and I didn't want there to be any conflict of interest with regard to ownership of my lists. It's rather more of an issue for the Log Analysis list than it is for this one, but I also didn't want to complicate my life by running lists in two different places. tbird On Wed, 17 Jul 2002, Keith A. Pachulski, PPS, GCIH wrote: > so this is the part that securityfocus falls apart? > > -----Original Message----- > From: Tina Bird [mailto:tbird at precision-guesswork.com] > Sent: Wednesday, July 17, 2002 8:03 PM > To: vpn at securityfocus.com > Cc: tsg at shmoo.com > Subject: [vpn] Moving Mailing List > > > > Hi all -- As a consequence of the Symantec acquisition of SecurityFocus, I > am moving the Log Analysis and VPN mailing lists to a non-commercial host. > The list will be served by the machine sisyphus.iocaine.com and run by the > Shmoo Group (http://www.shmoo.com), of which I am a part. I will of > course continue to moderate. > > Please contact me directly if you have questions or concerns about this > decision. I will update everyone with more information when we've got > things ready to go. > > thanks very much -- Tina Bird > > "The road of excess leads to the palace of wisdom." > William Blake, "Proverbs of Hell" > > http://www.shmoo.com/~tbird > Log Analysis http://www.counterpane.com/log-analysis.html > VPN http://vpn.shmoo.com > > > > VPN is sponsored by SecurityFocus.com > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From john at dndlabs.net Thu Jul 18 01:24:01 2002 From: john at dndlabs.net (john at dndlabs.net) Date: Thu, 18 Jul 2002 01:24:01 -0400 Subject: [vpn] Cisco VPN3.1 and Motorola data packet service Message-ID: I'm using Nextel's iM1100 Motorola Wireless modem as that uses DDP (Digital Data Packet) not CDP (Cellular data packet). Nextel's Gold service uses a hardware compression gateway to get your 19200 connection very close to a 56K one. However, you are correct...the hardware compression gateway is not set ot support IPSec until 3Q2002. -John Mike Kelley 07/17/2002 12:22 PM To: vpn at securityfocus.com cc: Subject: [vpn] Cisco VPN3.1 and Motorola data packet service I am using Nextel for my cellular service and was just recently able to setup their packetstream gold service that allows for a 56k connection over a cell. Once connected I was unable to connect using the VPN software. Has anyone else conquered this issue/problem? Nextel said 3 to 9 weeks before this service would be available but that some users had figured out how to connect. Anyone here?? VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Jul 24 17:55:40 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 24 Jul 2002 21:55:40 +0000 (GMT) Subject: [VPN] Test message Message-ID: <20020724215523.Q40490-100000@sisyphus.iocaine.com> Please disregard this test message. t. "The road of excess leads to the palace of wisdom." William Blake, "Proverbs of Hell" http://www.shmoo.com/~tbird Log Analysis http://www.counterpane.com/log-analysis.html VPN http://vpn.shmoo.com From tbird at precision-guesswork.com Wed Jul 24 18:03:12 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 24 Jul 2002 22:03:12 +0000 (GMT) Subject: [VPN] test #2 Message-ID: <20020724220254.F41028-100000@sisyphus.iocaine.com> Please disregard this test message. t. "The road of excess leads to the palace of wisdom." William Blake, "Proverbs of Hell" http://www.shmoo.com/~tbird Log Analysis http://www.counterpane.com/log-analysis.html VPN http://vpn.shmoo.com