From ken at seefried.com Sun Jun 2 14:00:05 2002 From: ken at seefried.com (Ken Seefried) Date: Sun, 02 Jun 2002 18:00:05 GMT Subject: [vpn] Radius Server for VPN In-Reply-To: <1022980759.27920.ezmlm@securityfocus.com> References: <1022980759.27920.ezmlm@securityfocus.com> Message-ID: <20020602180005.12163.qmail@mail.seefried.com> From: John Starta >You didn't indicate what VPN device you're using, but assume it >can handle RADIUS authentication. Steel Belted Radius[1] meets >your criteria and works extremely well. We use it with both our >Nortel and Cisco VPN devices. I concur. Funk Softwares' Steel Belted Radius is simply the best product out there for non-trivial RADIUS authentication. Ken Seefried, CISSP VPN is sponsored by SecurityFocus.com From pjacob at ftmc.com Mon Jun 3 12:28:42 2002 From: pjacob at ftmc.com (Pete Jacob) Date: Mon, 03 Jun 2002 12:28:42 -0400 Subject: [vpn] wep Message-ID: <5.1.0.14.2.20020603122819.02da2788@4.18.4.133> Hello~ I was wondering if anyone knew of a good solution to help my problem... I have an external wireless connection to an office across the street using a Breeze com 802.11B technology... but the equipment will only use a 40bit WEP key. I would like to accomplish the following: 1. treat both sites as a different broadcast domains 2. have some sort of magical box that will provide some sort of magical vpn/3des encryption, and have two ether net ports in it, one to connect to the network another to connect to the wireless network, then back at the remote site it would do the same... I was thinking that Cisco probably makes what I need but since I am only a lowly ccna it might be to difficult to configure, and too costly. I also think I should be able to do this with a pee cea, and two nics... but this sounds like a bad idea. Thanks~ Pete. -------------- next part -------------- --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.368 / Virus Database: 204 - Release Date: 5/29/2002 -------------- next part -------------- VPN is sponsored by SecurityFocus.com From jamesh at mail.abcsinc.com Mon Jun 3 14:20:57 2002 From: jamesh at mail.abcsinc.com (James Hartman) Date: Mon, 3 Jun 2002 13:20:57 -0500 Subject: [vpn] wep In-Reply-To: <5.1.0.14.2.20020603122819.02da2788@4.18.4.133> References: <5.1.0.14.2.20020603122819.02da2788@4.18.4.133> Message-ID: <200206031753.MAA05999@www.abcsinc.com> This makes me wonder if one could use a device such as a SnapGear to secure WAP-to-WAP connections. If that is possible, which I'm fairly certain is, what else could be snatched from the air other than the IPsec traffic? Sorry, I'm not as well versed in wireless as I would like. On Monday 03 June 2002 11:28 am, Pete Jacob wrote: > Hello~ > I was wondering if anyone knew of a good solution to help my problem... > I have an external wireless connection to an office across the street using > a Breeze com 802.11B > technology... but the equipment will only use a 40bit WEP key. > I would like to accomplish the following: > 1. treat both sites as a different broadcast domains > 2. have some sort of magical box that will provide some sort of magical > vpn/3des encryption, and have two ether net ports > in it, one to connect to the network another to connect to the wireless > network, then back at the remote site it > would do the same... > > I was thinking that Cisco probably makes what I need but since I am only a > lowly ccna it might be > to difficult to configure, and too costly. > I also think I should be able to do this with a pee cea, and two nics... > but this sounds like a bad idea. > > > Thanks~ > Pete. > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.368 / Virus Database: 204 - Release Date: 5/29/2002 VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Mon Jun 3 13:30:30 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Mon, 3 Jun 2002 12:30:30 -0500 Subject: [vpn] wep Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187FC11@mail.bai.org> You need to assume that the wireless link is completely compromised. So you treat it like you would the public Internet: you firewall it. Any of the combo firewall/vpn devices out there will work for you at 802.11B speeds, when set up like this: NetworkA<-->Firewall<-->Breezecom // Breezecom<-->FireWall<-->NetworkB Buying two Netgear FVS318 would probably let you do this for less than $300 in hardware costs. If you have more than 253 nodes on either side of the network, you'll need something bigger and better. All you need to do is configure the network and Ipsec settings on each device, and plug the breezecom stuff into the internet/WAN ports on the firewalls. Regards, :::Ryan Malayter :::Network Engineer :::Bank Administration Institute :::Chicago, Illinois, USA :::PGP Key: http://www.malayter.com/pgp-public.txt -----Original Message----- From: Pete Jacob [mailto:pjacob at ftmc.com] Sent: Monday, June 03, 2002 11:29 AM To: vpn at securityfocus.com Subject: [vpn] wep Hello~ I was wondering if anyone knew of a good solution to help my problem... I have an external wireless connection to an office across the street using a Breeze com 802.11B technology... but the equipment will only use a 40bit WEP key. I would like to accomplish the following: 1. treat both sites as a different broadcast domains 2. have some sort of magical box that will provide some sort of magical vpn/3des encryption, and have two ether net ports in it, one to connect to the network another to connect to the wireless network, then back at the remote site it would do the same... I was thinking that Cisco probably makes what I need but since I am only a lowly ccna it might be to difficult to configure, and too costly. I also think I should be able to do this with a pee cea, and two nics... but this sounds like a bad idea. Thanks~ Pete. VPN is sponsored by SecurityFocus.com From TorreA at bsci.com Mon Jun 3 14:15:06 2002 From: TorreA at bsci.com (Torre, Alex) Date: Mon, 3 Jun 2002 14:15:06 -0400 Subject: [vpn] wep Message-ID: <438C2ACF7CD0D411B6E300508BB1DD450103FB8E@miapr2.bscexc1.bsci.com> Pete, I would continue to look into the Cisco solution for the VPN Encryption. But one thing that did strike me right off the bat is the wireless across the buildings. Make sure to check your security on your WEP. WEP really isn't the most secure thing, but you can take certain precautionary measures to increase your network security. How well is your Breezecom working? Didn't get that great of a review from NetworkComputing. Check the link (http://www.networkcomputing.com/1113/1113f25.html) Alex -----Original Message----- From: Pete Jacob [mailto:pjacob at ftmc.com] Sent: Monday, June 03, 2002 12:29 PM To: vpn at securityfocus.com Subject: [vpn] wep Hello~ I was wondering if anyone knew of a good solution to help my problem... I have an external wireless connection to an office across the street using a Breeze com 802.11B technology... but the equipment will only use a 40bit WEP key. I would like to accomplish the following: 1. treat both sites as a different broadcast domains 2. have some sort of magical box that will provide some sort of magical vpn/3des encryption, and have two ether net ports in it, one to connect to the network another to connect to the wireless network, then back at the remote site it would do the same... I was thinking that Cisco probably makes what I need but since I am only a lowly ccna it might be to difficult to configure, and too costly. I also think I should be able to do this with a pee cea, and two nics... but this sounds like a bad idea. Thanks~ Pete. VPN is sponsored by SecurityFocus.com From slaz at fortresstech.com Mon Jun 3 14:50:08 2002 From: slaz at fortresstech.com (Steve Lazaridis) Date: 03 Jun 2002 14:50:08 -0400 Subject: [vpn] wep In-Reply-To: <5.1.0.14.2.20020603122819.02da2788@4.18.4.133> References: <5.1.0.14.2.20020603122819.02da2788@4.18.4.133> Message-ID: <1023130215.1085.13.camel@gigada> take a look at the airfortress solution from Fortress Technologies http://www.fortresstech.com On Mon, 2002-06-03 at 12:28, Pete Jacob wrote: > Hello~ > I was wondering if anyone knew of a good solution to help my problem... > I have an external wireless connection to an office across the street using > a Breeze com 802.11B > technology... but the equipment will only use a 40bit WEP key. > I would like to accomplish the following: > 1. treat both sites as a different broadcast domains > 2. have some sort of magical box that will provide some sort of magical > vpn/3des encryption, and have two ether net ports > in it, one to connect to the network another to connect to the wireless > network, then back at the remote site it > would do the same... > > I was thinking that Cisco probably makes what I need but since I am only a > lowly ccna it might be > to difficult to configure, and too costly. > I also think I should be able to do this with a pee cea, and two nics... > but this sounds like a bad idea. > > > Thanks~ > Pete. > > ---- > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.368 / Virus Database: 204 - Release Date: 5/29/2002 > > ---- > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Alan.Mackenzie at ind.alcatel.com Mon Jun 3 16:04:46 2002 From: Alan.Mackenzie at ind.alcatel.com (Alan MacKenzie) Date: Mon, 3 Jun 2002 16:04:46 -0400 Subject: [vpn] wep In-Reply-To: <5.1.0.14.2.20020603122819.02da2788@4.18.4.133> Message-ID: <001201c20b3a$7c699c60$6601a8c0@mack3> Reef edge makes a cool product...much cheaper than crisco. -----Original Message----- From: Pete Jacob [mailto:pjacob at ftmc.com] Sent: Monday, June 03, 2002 12:29 PM To: vpn at securityfocus.com Subject: [vpn] wep Hello~ I was wondering if anyone knew of a good solution to help my problem... I have an external wireless connection to an office across the street using a Breeze com 802.11B technology... but the equipment will only use a 40bit WEP key. I would like to accomplish the following: 1. treat both sites as a different broadcast domains 2. have some sort of magical box that will provide some sort of magical vpn/3des encryption, and have two ether net ports in it, one to connect to the network another to connect to the wireless network, then back at the remote site it would do the same... I was thinking that Cisco probably makes what I need but since I am only a lowly ccna it might be to difficult to configure, and too costly. I also think I should be able to do this with a pee cea, and two nics... but this sounds like a bad idea. Thanks~ Pete. VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Mon Jun 3 16:43:55 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Mon, 3 Jun 2002 15:43:55 -0500 Subject: [vpn] wep Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187FC18@mail.bai.org> You use shared-secret (or even certificate-based) IKE and form an IPsec tunnel between the two firewalls. So yes, the firewall is open, but only to authenticated and encrypted traffic coming from the other firewall. I'm not sure what you think the internet or PPTP has to do with any of this, since neither Windows nor the internet were mentioned in Pete's initial post. -ryan- -----Original Message----- From: Kenneth Erickson [mailto:erickskl at yahoo.com] Sent: Monday, June 03, 2002 2:14 PM To: Ryan Malayter Subject: RE: [vpn] wep Dear Ryan, I don't understand this. If the wireless Access Points are outside the firewall then you would have to open the firewall to let their traffic through. Then you would have to authenicate to the server. Wouldn't it be easier to have ppptp over internet? --- Ryan Malayter wrote: > You need to assume that the wireless link is > completely compromised. So > you treat it like you would the public Internet: you > firewall it. Any of > the combo firewall/vpn devices out there will work > for you at 802.11B > speeds, when set up like this: > > NetworkA<-->Firewall<-->Breezecom > // > Breezecom<-->FireWall<-->NetworkB > > > Buying two Netgear FVS318 would probably let you do > this for less than > $300 in hardware costs. If you have more than 253 > nodes on either side > of the network, you'll need something bigger and > better. > > All you need to do is configure the network and > Ipsec settings on each > device, and plug the breezecom stuff into the > internet/WAN ports on the > firewalls. > > Regards, > :::Ryan Malayter > :::Network Engineer > :::Bank Administration Institute > :::Chicago, Illinois, USA > :::PGP Key: http://www.malayter.com/pgp-public.txt > > > > -----Original Message----- > From: Pete Jacob [mailto:pjacob at ftmc.com] > Sent: Monday, June 03, 2002 11:29 AM > To: vpn at securityfocus.com > Subject: [vpn] wep > > > Hello~ > I was wondering if anyone knew of a good solution to > help my problem... > I have an external wireless connection to an office > across the street > using > a Breeze com 802.11B > technology... but the equipment will only use a > 40bit WEP key. > I would like to accomplish the following: > 1. treat both sites as a different broadcast domains > 2. have some sort of magical box that will provide > some sort of magical > vpn/3des encryption, and have two ether net ports > in it, one to connect to the network another to > connect to the wireless > network, then back at the remote site it > would do the same... > > I was thinking that Cisco probably makes what I need > but since I am only > a > lowly ccna it might be > to difficult to configure, and too costly. > I also think I should be able to do this with a pee > cea, and two nics... > > but this sounds like a bad idea. > > > Thanks~ > Pete. > > VPN is sponsored by SecurityFocus.com > __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Mon Jun 3 17:44:14 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Mon, 3 Jun 2002 16:44:14 -0500 Subject: [vpn] wep Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187FC1D@mail.bai.org> From: Kenneth Erickson [mailto:erickskl at yahoo.com] >Thank you Your right they weren't mentioned. >It just seemed like that might be another way >to hook up two buildings. It could be done if he has windows servers on both sides, each with an extra NIC. Even if all protocol bindings except Ipsec/L2TP/PPTP were removed from the wireless-side NICs, the setup would not be as secure as having an actual stateful inspection firewall on each side of the wireless connection. Nor would it be as easy to set up. >Since WEP is swiss cheese, what do you think >about establishing some form of security on all of the >clients and servers that are on the intra-net then >placeing the Access Point on the inside of the firewall? That's not a bad idea, but it's a heck of a lot more work than buying two firewall/VPN devices and connecting them with an IPsec tunnel. Then the "Swiss cheese" portion of his network is blocked from access to the LAN, which should be (reasonably) trustworthy. Requiring IPsec to every client and with every connection isn't out of the question, but I'm sure it will cause a lot of issues. Perhaps, not every protocol, service, application, or operating system in use is compatible with the encryption solution. Certainly diagnosing LAN problems with a sniffer will become much more difficult. And the more devices that have a shared secret, the more chances of that secret being compromised and the security negated. Of course, securing all network traffic to and from clients is desirable if the physical security of the existing LAN in each building is poor. (One can often get into wiring closets simply by wearing a tool belt and carrying a clipboard!) But if that's the case, the physical security of client devices (which hold the encryption keys for the secured LAN) is probably quite poor as well. In such a situation, would a physically insecure network be made any safer by simply turning on encryption on all the clients and server? Not by much. Regards, :::Ryan Malayter :::Network Engineer :::Bank Administration Institute :::Chicago, Illinois, USA :::PGP Key: http://www.malayter.com/pgp-public.txt VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Mon Jun 3 18:29:15 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Mon, 3 Jun 2002 17:29:15 -0500 Subject: [vpn] wep Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187FC22@mail.bai.org> One other thing... It might be best to look for Firewall/VPN devices which support the emerging IPcomp standard for compression before IPsec encryption. That 802.11b connection will feel a lot quicker. Devices from Cisco, Alcatel, Nokia/Checkpoint, and others support this, as does the Linux-based freeS/WAN suite. Unfortunately, the bargain-basement devices from NETGEAR I mentioned earlier do not, nor could I find any reference to IPcomp when searching SonicWall and WatchGuard sites. -----Original Message----- From: Ryan Malayter Sent: Monday, June 03, 2002 4:44 PM To: Kenneth Erickson; vpn at securityfocus.com Subject: RE: [vpn] wep From: Kenneth Erickson [mailto:erickskl at yahoo.com] >Thank you Your right they weren't mentioned. >It just seemed like that might be another way >to hook up two buildings. It could be done if he has windows servers on both sides, each with an extra NIC. Even if all protocol bindings except Ipsec/L2TP/PPTP were removed from the wireless-side NICs, the setup would not be as secure as having an actual stateful inspection firewall on each side of the wireless connection. Nor would it be as easy to set up. >Since WEP is swiss cheese, what do you think >about establishing some form of security on all of the >clients and servers that are on the intra-net then >placeing the Access Point on the inside of the firewall? That's not a bad idea, but it's a heck of a lot more work than buying two firewall/VPN devices and connecting them with an IPsec tunnel. Then the "Swiss cheese" portion of his network is blocked from access to the LAN, which should be (reasonably) trustworthy. Requiring IPsec to every client and with every connection isn't out of the question, but I'm sure it will cause a lot of issues. Perhaps, not every protocol, service, application, or operating system in use is compatible with the encryption solution. Certainly diagnosing LAN problems with a sniffer will become much more difficult. And the more devices that have a shared secret, the more chances of that secret being compromised and the security negated. Of course, securing all network traffic to and from clients is desirable if the physical security of the existing LAN in each building is poor. (One can often get into wiring closets simply by wearing a tool belt and carrying a clipboard!) But if that's the case, the physical security of client devices (which hold the encryption keys for the secured LAN) is probably quite poor as well. In such a situation, would a physically insecure network be made any safer by simply turning on encryption on all the clients and server? Not by much. Regards, :::Ryan Malayter :::Network Engineer :::Bank Administration Institute :::Chicago, Illinois, USA :::PGP Key: http://www.malayter.com/pgp-public.txt VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From munix-1 at pacbell.net Mon Jun 3 21:37:01 2002 From: munix-1 at pacbell.net (Jose Muniz) Date: Mon, 03 Jun 2002 18:37:01 -0700 Subject: [vpn] wep References: <5.1.0.14.2.20020603122819.02da2788@4.18.4.133> Message-ID: <3CFC19BD.6070001@pacbell.net> You could use a Netscreen firewall, and have IPSec clinets on your wireless systems, with a policy as follows [any any encrypt] on the clients. Then you will have IKE policies, so that this clients can establish a tunnel to the "trusted" interface. Or if you like you could have the same setup to a dedicated applicance and tunnel to the untrusted [you dont have to]. Also just so that you know, the NS is the only box out there that lets you create a tunnel to the trusted interface., It will work like a charm. JOse. Pete Jacob wrote: > Hello~ > I was wondering if anyone knew of a good solution to help my problem... > I have an external wireless connection to an office across the street > using a Breeze com 802.11B > technology... but the equipment will only use a 40bit WEP key. > I would like to accomplish the following: > 1. treat both sites as a different broadcast domains > 2. have some sort of magical box that will provide some sort of magical > vpn/3des encryption, and have two ether net ports > in it, one to connect to the network another to connect to the wireless > network, then back at the remote site it > would do the same... > > I was thinking that Cisco probably makes what I need but since I am only > a lowly ccna it might be > to difficult to configure, and too costly. > I also think I should be able to do this with a pee cea, and two nics... > but this sounds like a bad idea. > > > Thanks~ > Pete. > > > ------------------------------------------------------------------------ > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.368 / Virus Database: 204 - Release Date: 5/29/2002 > > > > ------------------------------------------------------------------------ > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Stephen.Hope at energis.com Wed Jun 5 07:56:14 2002 From: Stephen.Hope at energis.com (Stephen Hope) Date: Wed, 5 Jun 2002 12:56:14 +0100 Subject: [vpn] wep Message-ID: <73BE32DA9E55D511ACF30050BAEA048702A8E8AC@eisemail.energis.co.uk> Pete, Don't dismiss the Cisco stuff out of hand - sometimes they do get the costs right. You could use cisco firewall, routers, or VPN appliances. The Cisco 506E and 515E firewalls would be my choice, since they have the tools to do what you want - which box to choose depends on the number of users and activity across the link. Router examples are such as 1721 or 2650 with hardware encryption, or the VPN3015 for VPN boxes. The VPN boxes are the easiest to use and configure - routers most general utility and flexibility, and the firewalls probably the most secure - your choice. The routers and VPN boxes have optional hardware acceleration, so would give you the option to choose the price performance you need. PIX used to be the same but the "E" models have encryption hardware as standard (so long as you spec that on the order). A couple of points: The wireless link runs at effective speed of 5 to 8 Mbps half duplex, so you will need hardware encryption support. A lot of the low end kit is designed for a 512k WAN limit from ADSL or cable. If you want the sites to be separate broadcast domains, then you need something that understands routing (and all the protocols you use) - this should be a given for IP with any of the solutions that have been suggested - almost any others will need a good router. You may need some specialised routing functions, such as DHCP forwarding. If you have a WAN you may need OSPF etc, or some static routes to resolve the rest of the network topology. When you put it in, you will find that you need to re-address at least 1 building. Good luck Stephen -----Original Message----- From: Pete Jacob [mailto:pjacob at ftmc.com] Sent: Monday, June 03, 2002 5:29 PM To: vpn at securityfocus.com Subject: [vpn] wep << File: ATT120498.txt >> << File: ATT120499.txt >> Hello~ I was wondering if anyone knew of a good solution to help my problem... I have an external wireless connection to an office across the street using a Breeze com 802.11B technology... but the equipment will only use a 40bit WEP key. I would like to accomplish the following: 1. treat both sites as a different broadcast domains 2. have some sort of magical box that will provide some sort of magical vpn/3des encryption, and have two ether net ports in it, one to connect to the network another to connect to the wireless network, then back at the remote site it would do the same... I was thinking that Cisco probably makes what I need but since I am only a lowly ccna it might be to difficult to configure, and too costly. I also think I should be able to do this with a pee cea, and two nics... but this sounds like a bad idea. Thanks~ Pete. ******************************************************************************************************** This e-mail is from Energis plc, 50 Victoria Embankment, London, EC4Y 0DE, United Kingdom, No: 2630471. This e-mail is confidential to the addressee and may be privileged. The views expressed are personal and do not necessarily reflect those of Energis. If you are not the intended recipient please notify the sender immediately by calling our switchboard on +44 (0) 20 7206 5555 and do not disclose to another person or use, copy or forward all or any of it in any form. ******************************************************************************************************** VPN is sponsored by SecurityFocus.com From rtwatson at qwest.net Thu Jun 6 09:35:41 2002 From: rtwatson at qwest.net (Travis Watson) Date: 06 Jun 2002 06:35:41 -0700 Subject: [vpn] wep In-Reply-To: <5.1.0.14.2.20020603122819.02da2788@4.18.4.133> References: <5.1.0.14.2.20020603122819.02da2788@4.18.4.133> Message-ID: <1023370541.3291.26.camel@dell1.traviswatson.net> Pete, Someone else already suggested it (don't have the name available), but going the VPN route with client software is the way to go to get what you want. The original suggestor pointed you toward Netscreen, which is also probably a good choice, though you certainly have options. I've implemented this at one site and it worked fine (though we went with a different device). The only thing I would prepare you for is the shaky hand user messing up his/her client software and calling you *all the time* until they get used to it. Additionally, you may have to allow for split-tunneling so people can get to local resources. It depends on what users are doing and how you are set up, but it's a decision you will have to make early on. Generally speaking, split-tunneling is bad juju, but since your users are already on the inside, it's not near as big of a vulnerability. Just make sure their web-surfing pulls through the tunnel if the WAP is between them and your Internet POP. Good luck. --Travis On Mon, 2002-06-03 at 09:28, Pete Jacob wrote: > Hello~ > I was wondering if anyone knew of a good solution to help my problem... > I have an external wireless connection to an office across the street using > a Breeze com 802.11B > technology... but the equipment will only use a 40bit WEP key. > I would like to accomplish the following: > 1. treat both sites as a different broadcast domains > 2. have some sort of magical box that will provide some sort of magical > vpn/3des encryption, and have two ether net ports > in it, one to connect to the network another to connect to the wireless > network, then back at the remote site it > would do the same... > > I was thinking that Cisco probably makes what I need but since I am only a > lowly ccna it might be > to difficult to configure, and too costly. > I also think I should be able to do this with a pee cea, and two nics... > but this sounds like a bad idea. > > > Thanks~ > Pete. > ---- > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.368 / Virus Database: 204 - Release Date: 5/29/2002 > > ---- > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From TomM at spectrum-systems.com Thu Jun 6 13:59:05 2002 From: TomM at spectrum-systems.com (Tom McHugh) Date: Thu, 6 Jun 2002 13:59:05 -0400 Subject: [vpn] wep Message-ID: <2A0DB5123A51874C82699788F0985ED2064BF9@sith.spectrum-systems.com> Regarding the shaky-handed user munging the configuration of NetScreen's software client, you can get around that concern by creating the policies and saving them in a "protected" mode. This will prevent the casual user from messing with the config. The more adventurous user can open the configuration in a text editor and remove the protected setting, but only if s/he knows what to change. Tom McHugh, Senior Systems Engineer mailto:tomm at spectrum-systems.com Spectrum Systems, Inc. "Today's Technology--Solutions for Tomorrow" 11320 Random Hills Road, Suite 630 Fairfax, VA 22030-6001 703-591-7400 x218 703-591-9780 (Fax) http://www.spectrum-systems.com/ Concerned about the security of your network? Spectrum Systems' Network Security products and services can take the worry out of protecting your network. Call us at 800-929-3781 or visit us at http://www.spectrum-systems.com to learn more. > -----Original Message----- > From: Travis Watson [mailto:rtwatson at qwest.net] > Sent: Thursday, June 06, 2002 9:36 AM > To: Pete Jacob > Cc: vpn-securityfocus > Subject: Re: [vpn] wep > > > Pete, > > Someone else already suggested it (don't have the name available), but > going the VPN route with client software is the way to go to get what > you want. The original suggestor pointed you toward > Netscreen, which is > also probably a good choice, though you certainly have options. > > I've implemented this at one site and it worked fine (though we went > with a different device). The only thing I would prepare you > for is the > shaky hand user messing up his/her client software and > calling you *all > the time* until they get used to it. Additionally, you may have to > allow for split-tunneling so people can get to local resources. It > depends on what users are doing and how you are set up, but it's a > decision you will have to make early on. Generally speaking, > split-tunneling is bad juju, but since your users are already on the > inside, it's not near as big of a vulnerability. Just make sure their > web-surfing pulls through the tunnel if the WAP is between > them and your > Internet POP. > > Good luck. > > --Travis > > > On Mon, 2002-06-03 at 09:28, Pete Jacob wrote: > > Hello~ > > I was wondering if anyone knew of a good solution to help > my problem... > > I have an external wireless connection to an office across > the street using > > a Breeze com 802.11B > > technology... but the equipment will only use a 40bit WEP key. > > I would like to accomplish the following: > > 1. treat both sites as a different broadcast domains > > 2. have some sort of magical box that will provide some > sort of magical > > vpn/3des encryption, and have two ether net ports > > in it, one to connect to the network another to connect to > the wireless > > network, then back at the remote site it > > would do the same... > > > > I was thinking that Cisco probably makes what I need but > since I am only a > > lowly ccna it might be > > to difficult to configure, and too costly. > > I also think I should be able to do this with a pee cea, > and two nics... > > but this sounds like a bad idea. > > > > > > Thanks~ > > Pete. > > ---- > > > > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.368 / Virus Database: 204 - Release Date: 5/29/2002 > > > > ---- > > > > > VPN is sponsored by SecurityFocus.com > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From jmuniz at loudcloud.com Thu Jun 6 18:45:00 2002 From: jmuniz at loudcloud.com (Jose Muniz) Date: Thu, 06 Jun 2002 15:45:00 -0700 Subject: [vpn] wep References: <2A0DB5123A51874C82699788F0985ED2064BF9@sith.spectrum-systems.com> Message-ID: <3CFFE5EC.638E007E@loudcloud.com> Well said Tom... You know, I heard once, about a user that walk through the golden gate bridge and jumped to his dead... He was tightly embracing his Laptop.. Unfortunately my Security Solution did not save his life.... as assumed by the exec staff :-P Also to corroborate a little more, on this set up as I mention you do NOT need split tunneling.... "the tunnel splitting is dictated by the policy" so you could I guess.... As all the traffic will be tunneled to the Netscreen anyway... The IKE auth will also protect your Wireless range by the way.. Jose. Tom McHugh wrote: > Regarding the shaky-handed user munging the configuration of NetScreen's > software client, you can get around that concern by creating the policies > and saving them in a "protected" mode. This will prevent the casual user > from messing with the config. The more adventurous user can open the > configuration in a text editor and remove the protected setting, but only if > s/he knows what to change. > > Tom McHugh, Senior Systems Engineer > mailto:tomm at spectrum-systems.com > > Spectrum Systems, Inc. > "Today's Technology--Solutions for Tomorrow" > > 11320 Random Hills Road, Suite 630 > Fairfax, VA 22030-6001 > 703-591-7400 x218 > 703-591-9780 (Fax) > http://www.spectrum-systems.com/ > > Concerned about the security of your network? Spectrum Systems' Network > Security products and services can take the worry out of protecting your > network. Call us at 800-929-3781 or visit us at > http://www.spectrum-systems.com to learn more. > > > -----Original Message----- > > From: Travis Watson [mailto:rtwatson at qwest.net] > > Sent: Thursday, June 06, 2002 9:36 AM > > To: Pete Jacob > > Cc: vpn-securityfocus > > Subject: Re: [vpn] wep > > > > > > Pete, > > > > Someone else already suggested it (don't have the name available), but > > going the VPN route with client software is the way to go to get what > > you want. The original suggestor pointed you toward > > Netscreen, which is > > also probably a good choice, though you certainly have options. > > > > I've implemented this at one site and it worked fine (though we went > > with a different device). The only thing I would prepare you > > for is the > > shaky hand user messing up his/her client software and > > calling you *all > > the time* until they get used to it. Additionally, you may have to > > allow for split-tunneling so people can get to local resources. It > > depends on what users are doing and how you are set up, but it's a > > decision you will have to make early on. Generally speaking, > > split-tunneling is bad juju, but since your users are already on the > > inside, it's not near as big of a vulnerability. Just make sure their > > web-surfing pulls through the tunnel if the WAP is between > > them and your > > Internet POP. > > > > Good luck. > > > > --Travis > > > > > > On Mon, 2002-06-03 at 09:28, Pete Jacob wrote: > > > Hello~ > > > I was wondering if anyone knew of a good solution to help > > my problem... > > > I have an external wireless connection to an office across > > the street using > > > a Breeze com 802.11B > > > technology... but the equipment will only use a 40bit WEP key. > > > I would like to accomplish the following: > > > 1. treat both sites as a different broadcast domains > > > 2. have some sort of magical box that will provide some > > sort of magical > > > vpn/3des encryption, and have two ether net ports > > > in it, one to connect to the network another to connect to > > the wireless > > > network, then back at the remote site it > > > would do the same... > > > > > > I was thinking that Cisco probably makes what I need but > > since I am only a > > > lowly ccna it might be > > > to difficult to configure, and too costly. > > > I also think I should be able to do this with a pee cea, > > and two nics... > > > but this sounds like a bad idea. > > > > > > > > > Thanks~ > > > Pete. > > > ---- > > > > > > > > > > > --- > > > Outgoing mail is certified Virus Free. > > > Checked by AVG anti-virus system (http://www.grisoft.com). > > > Version: 6.0.368 / Virus Database: 204 - Release Date: 5/29/2002 > > > > > > ---- > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > VPN is sponsored by SecurityFocus.com -- Jose Muniz Network Engineering Loudcloud, Inc. (408)744-7583 Direct page-jmuniz at loudcloud.com ------------------------- http://www.loudcloud.com VPN is sponsored by SecurityFocus.com From shahzads at systemsltd.com.pk Fri Jun 7 07:50:44 2002 From: shahzads at systemsltd.com.pk (Mohammad Shahzad Saleem) Date: Fri, 7 Jun 2002 16:50:44 +0500 Subject: [vpn] VPN Session establishment Message-ID: <026101c20e19$9ad35e70$4801a8c0@lhr.systemsltd.com> Dear Sir/Madam, I want to establish the VPN session during the run time by my Visual Basic application. The scenario is:- I have developed a client server application. I used Oracle as database and clients are developed in Visual Basic. Database server is located in the central location and clients are connected to it through LAN. Now, I want the support of remote clients who are not the part of local LAN. So I found VPN the best option to use in this case. What I want to do the is dialup configuration to establish the VPN session at the client end. I don't want their network administrator to configure VPN through windows dialup support by dialing it in to my VPN server. I want this task of establishing the VPN session be done by my application itself. My application should be able to setup the connection to the remote VPN server. So that it may be able to use the Oracle database and so on. To do this I required to know the about the dialup components or VPN client components. I don't know wether this facility is available to the developers or not. I don't know wether this approach is workable or right or wrong. Please guide me and give me some hint so that I may proceed in the right direction. Regards Shahzad VPN is sponsored by SecurityFocus.com From losttoy2000 at yahoo.co.uk Fri Jun 14 00:44:39 2002 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Fri, 14 Jun 2002 05:44:39 +0100 (BST) Subject: [vpn] Difference between PIX and VPN 3000 Message-ID: <20020614044439.5116.qmail@web12704.mail.yahoo.com> Hi, Whats the difference between the VPN features of a Cisco PIX and that of a Cisco VPN 3000? Regards, Siddhartha __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com VPN is sponsored by SecurityFocus.com From andrev at uunet.co.za Fri Jun 14 08:25:09 2002 From: andrev at uunet.co.za (Andre Venter) Date: Fri, 14 Jun 2002 14:25:09 +0200 Subject: [vpn] MPLS Message-ID: <4C4355E1C401D6118473009027E0199BD9ECD0@harx.staff.uunet.co.za> Hi All, Is this forum exclusive to IPSec? Kind Regards Andre Venter VPN is sponsored by SecurityFocus.com From Travis.Watson at Honeywell.com Fri Jun 14 13:45:51 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Fri, 14 Jun 2002 10:45:51 -0700 Subject: [vpn] MPLS Message-ID: No, VPN in general. -----Original Message----- From: Andre Venter [mailto:andrev at uunet.co.za] Sent: Friday, June 14, 2002 5:25 AM To: vpn-securityfocus Subject: [vpn] MPLS Hi All, Is this forum exclusive to IPSec? Kind Regards Andre Venter VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From ILazar at burtongroup.com Fri Jun 14 13:46:12 2002 From: ILazar at burtongroup.com (Irwin Lazar) Date: Fri, 14 Jun 2002 11:46:12 -0600 Subject: [vpn] MPLS Message-ID: <53BBA8839E91D51194D200902728944ED63C3E@host3.tbg.com> I'd recommend the MPLS-OPS list at www.mplsrc.com for concerns about MPLS VPNs. irwin > -----Original Message----- > From: Andre Venter [mailto:andrev at uunet.co.za] > Sent: Friday, June 14, 2002 8:25 AM > To: vpn-securityfocus > Subject: [vpn] MPLS > > > Hi All, > > Is this forum exclusive to IPSec? > > Kind Regards > > Andre Venter > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From djdawso at qwest.com Fri Jun 14 13:05:06 2002 From: djdawso at qwest.com (Dana J. Dawson) Date: Fri, 14 Jun 2002 12:05:06 -0500 Subject: [vpn] Difference between PIX and VPN 3000 References: <20020614044439.5116.qmail@web12704.mail.yahoo.com> Message-ID: <3D0A2242.23AD052D@qwest.com> Siddhartha Jain wrote: > Hi, > > Whats the difference between the VPN features of a > Cisco PIX and that of a Cisco VPN 3000? > > Regards, > > Siddhartha > > __________________________________________________ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com > > VPN is sponsored by SecurityFocus.com The VPN 3000 is a full featured remote client access VPN concentrator, but has no true firewall features (only the equivalent of packet filtering access-lists). It can do site-to-site VPN as well, but that's not it's primary function. The PIX is primarily a firewall, and can also do VPN. It's a little better at site-to-site than remote client access, since it doesn't support the IPSec through NAT features that the 3000 does, and it also does not support local username/password configuration that the 3000 does. These restrictions are significant enough that I usually recommend to customers who really want VPN client access into a PIX that they use Microsoft PPTP instead of the Cisco client, mostly because of the NAT issue. So, if you want a firewall and only need a few VPN clients, go with a PIX. If you have significant VPN client requirements, go with the 3000. HTH Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.com From jtixthus at attbi.com Sun Jun 16 12:32:54 2002 From: jtixthus at attbi.com (Jim Terry) Date: Sun, 16 Jun 2002 09:32:54 -0700 Subject: [vpn] cerificates of authority References: <53BBA8839E91D51194D200902728944ED63C3E@host3.tbg.com> Message-ID: <003201c21553$77988bb0$0200a8c0@jterry.net> Hi all, I am trying to authenticate a VPN between 2 routers with CAs using Win2k and its SCEP add on. The service for World Wide Publishing keeps hanging therefore the certificates are not received by the router. Troubleshooting via Microsoft states to make sure the administrator has full rights to the folders for crypto/machinekeys This I have done but the WWW Publishing service keep hanging. Any ideas? JT VPN is sponsored by SecurityFocus.com From jtixthus at attbi.com Sun Jun 16 12:41:38 2002 From: jtixthus at attbi.com (Jim Terry) Date: Sun, 16 Jun 2002 09:41:38 -0700 Subject: [vpn] Difference between PIX and VPN 3000 References: <20020614044439.5116.qmail@web12704.mail.yahoo.com> <3D0A2242.23AD052D@qwest.com> Message-ID: <005401c21554$b00a33d0$0200a8c0@jterry.net> Hi all, My guess was with the new PIX with the e after the model was the concentrator was probably on its way out. The new PIXs do as many IPSEC tunnels as the Concentrators. Additionally, for username and password configuration you need AAA. JT ----- Original Message ----- From: "Dana J. Dawson" To: "Siddhartha Jain" Cc: Sent: Friday, June 14, 2002 10:05 AM Subject: Re: [vpn] Difference between PIX and VPN 3000 > Siddhartha Jain wrote: > > > Hi, > > > > Whats the difference between the VPN features of a > > Cisco PIX and that of a Cisco VPN 3000? > > > > Regards, > > > > Siddhartha > > > > __________________________________________________ > > Do You Yahoo!? > > Everything you'll ever need on one web page > > from News and Sport to Email and Music Charts > > http://uk.my.yahoo.com > > > > VPN is sponsored by SecurityFocus.com > > The VPN 3000 is a full featured remote client access VPN concentrator, but has > no true firewall features (only the equivalent of packet filtering > access-lists). It can do site-to-site VPN as well, but that's not it's primary > function. > > The PIX is primarily a firewall, and can also do VPN. It's a little better at > site-to-site than remote client access, since it doesn't support the IPSec > through NAT features that the 3000 does, and it also does not support local > username/password configuration that the 3000 does. These restrictions are > significant enough that I usually recommend to customers who really want VPN > client access into a PIX that they use Microsoft PPTP instead of the Cisco > client, mostly because of the NAT issue. > > So, if you want a firewall and only need a few VPN clients, go with a PIX. If > you have significant VPN client requirements, go with the 3000. > > HTH > > Dana > > -- > Dana J. Dawson djdawso at qwest.com > Senior Staff Engineer CCIE #1937 > Qwest Global Services (612) 664-3364 > Qwest Communications (612) 664-4779 (FAX) > 600 Stinson Blvd., Suite 1S > Minneapolis MN 55413-2620 > > "Hard is where the money is." > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From nharel at nettech-services.net Sun Jun 16 19:45:42 2002 From: nharel at nettech-services.net (Nate Harel) Date: Sun, 16 Jun 2002 19:45:42 -0400 Subject: [vpn] newbie setting up vpn Message-ID: <4.2.0.58.20020616193824.0124ba00@nettech-services.net> Hi all, Forgive my ignorance here but I am trying to set up a small vpn connection between two offices. Office A: win2k machine on a small network behind a Netgear router. I set up the router to forward vpn traffic on port 1723 to the Win2K machine. That machine has been setup to accept incoming calls. I set up the local network using 192.168.0.x addresses. I configured the incoming connection to accept calls from networks with that address range. I also made the Office A local disk shared. Office B: WinXP machine on a small network behind a Netgear router. Again, I setup the router to forward vpn traffic on port 1723. That machine was setup with an outgoing vpn connection to Office A with an IP address of 192.168.0.100. This local network is also 192.168.0.x. From Office B, I dial out to Office A and get a connection. I can see the connection being made at A. So far all is well. HOWEVER, from B, I cannot see any of Office A's network, files, computers, etc. It is almost like there is no connection at all. HELP!! I am stumped. Nate ---------------------------------- Nate Harel NetTech Services 56 Pickering Street Needham, MA 02492 Tel: 1-781-559-8176 Toll Free: 1-877-567-8936 FAX: 1-877-567-8936 Email: nharel at nettech-services.com www.nettech-services.net www.nettech-backup.com www.nettech-hosting.com ---------------------------------- VPN is sponsored by SecurityFocus.com From infornet at 163.com Sun Jun 16 21:12:34 2002 From: infornet at 163.com (cyber) Date: Mon, 17 Jun 2002 09:12:34 +0800 Subject: [vpn] need help Message-ID: <20020617010859.28077.qmail@securityfocus.com> Hi all: Now I am do some reseach on VPN,as my decision,I want to create a VPN gateway on FreeBSD,and want to add som fuzzy control ideas to it.But I need help,because now I have not a whole idea on this.Is there anyone doing such work?help me! ????????cyber ????????infornet at 163.com ??????????2002-06-17 VPN is sponsored by SecurityFocus.com From ragent at gnuchina.org Mon Jun 17 06:20:23 2002 From: ragent at gnuchina.org (Liu Wen) Date: Mon, 17 Jun 2002 18:20:23 +0800 Subject: [vpn] bandwidth control on win2k VPN server? Message-ID: <20020617181843.0209.RAGENT@gnuchina.org> I have a VPN server running win2k advanced server, but the bandwidth is limited and several users are using it. I want to do a bandwith control on that, how can I make it? thanks.. Cheers Liu VPN is sponsored by SecurityFocus.com From scott.penno at gennex.com.au Mon Jun 17 03:57:10 2002 From: scott.penno at gennex.com.au (Scott Penno) Date: Mon, 17 Jun 2002 17:57:10 +1000 Subject: [vpn] newbie setting up vpn References: <4.2.0.58.20020616193824.0124ba00@nettech-services.net> Message-ID: <004801c215d4$9642de90$0128a8c0@jupiter> Hi Nate, >From what you're describing, you're attempting to setup a VPN from the WinXP client on a private network in office B to a Win2K host on a private network in office A. As these are Windows boxes, I'm guessing that you're using IPSec. Is this correct? The problem here probably lies with the fact that you're attempting to use IPSec across a network connection that involves NAT. There are a number of incompatibilities between IPSec and NAT which is why what you're attempting is not working. Have a look at http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-req ts-01.txt for more details about this. Your best bet would be to create the VPN from the routers at your networks edge, or attempt to obtain public IP addresses for the hosts you wish to create a VPN between. Scott. ----- Original Message ----- From: "Nate Harel" To: Sent: Monday, June 17, 2002 9:45 AM Subject: [vpn] newbie setting up vpn > Hi all, > > Forgive my ignorance here but I am trying to set up a small vpn connection > between two offices. > > Office A: > win2k machine on a small network behind a Netgear router. I set up the > router to forward vpn traffic on port 1723 to the Win2K machine. That > machine has been setup to accept incoming calls. I set up the local network > using 192.168.0.x addresses. I configured the incoming connection to accept > calls from networks with that address range. I also made the Office A local > disk shared. > > Office B: > WinXP machine on a small network behind a Netgear router. Again, I setup > the router to forward vpn traffic on port 1723. That machine was setup with > an outgoing vpn connection to Office A with an IP address of 192.168.0.100. > This local network is also 192.168.0.x. > > From Office B, I dial out to Office A and get a connection. I can see the > connection being made at A. So far all is well. HOWEVER, from B, I cannot > see any of Office A's network, files, computers, etc. It is almost like > there is no connection at all. > > > HELP!! I am stumped. > > > Nate > > > ---------------------------------- > Nate Harel > NetTech Services > 56 Pickering Street > Needham, MA 02492 > Tel: 1-781-559-8176 > Toll Free: 1-877-567-8936 > FAX: 1-877-567-8936 > Email: nharel at nettech-services.com > www.nettech-services.net > www.nettech-backup.com > www.nettech-hosting.com > ---------------------------------- > > > VPN is sponsored by SecurityFocus.com > > > VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Mon Jun 17 12:50:50 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Mon, 17 Jun 2002 11:50:50 -0500 Subject: [vpn] newbie setting up vpn Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187FCA3@mail.bai.org> Well, considering that you have two networks with the exact same addressing scheme, you're in a lot of trouble. You'll have to re-address one of the networks (192.168.1.x) to ever have any hope of connectivity between the two. -----Original Message----- From: Nate Harel [mailto:nharel at nettech-services.net] Sent: Sunday, June 16, 2002 6:46 PM To: vpn at securityfocus.com Subject: [vpn] newbie setting up vpn Hi all, Forgive my ignorance here but I am trying to set up a small vpn connection between two offices. Office A: win2k machine on a small network behind a Netgear router. I set up the router to forward vpn traffic on port 1723 to the Win2K machine. That machine has been setup to accept incoming calls. I set up the local network using 192.168.0.x addresses. I configured the incoming connection to accept calls from networks with that address range. I also made the Office A local disk shared. Office B: WinXP machine on a small network behind a Netgear router. Again, I setup the router to forward vpn traffic on port 1723. That machine was setup with an outgoing vpn connection to Office A with an IP address of 192.168.0.100. This local network is also 192.168.0.x. From Office B, I dial out to Office A and get a connection. I can see the connection being made at A. So far all is well. HOWEVER, from B, I cannot see any of Office A's network, files, computers, etc. It is almost like there is no connection at all. HELP!! I am stumped. Nate ---------------------------------- Nate Harel NetTech Services 56 Pickering Street Needham, MA 02492 Tel: 1-781-559-8176 Toll Free: 1-877-567-8936 FAX: 1-877-567-8936 Email: nharel at nettech-services.com www.nettech-services.net www.nettech-backup.com www.nettech-hosting.com ---------------------------------- VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From scott.penno at gennex.com.au Mon Jun 17 02:12:14 2002 From: scott.penno at gennex.com.au (Scott Penno) Date: Mon, 17 Jun 2002 16:12:14 +1000 Subject: [vpn] need help References: <20020617010859.28077.qmail@securityfocus.com> Message-ID: <002601c215c5$ee2d9320$0128a8c0@jupiter> VPN with FreeBSD. Definitely. I have my FreeBSD host talking to both Win2K clients and to a router from Allied Telesyn. All using IPSec with ISAKMP. Have a look at http://www.daemonnews.org/200101/ipsec-howto.html Scott. ----- Original Message ----- From: "cyber" To: Sent: Monday, June 17, 2002 11:12 AM Subject: [vpn] need help Hi all: Now I am do some reseach on VPN,as my decision,I want to create a VPN gateway on FreeBSD,and want to add som fuzzy control ideas to it.But I need help,because now I have not a whole idea on this.Is there anyone doing such work?help me! ????????????????????????cyber ????????????????????????infornet at 163.com ??????????????????????????????2002-06-17 VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From guyd50 at hotmail.com Mon Jun 17 19:21:02 2002 From: guyd50 at hotmail.com (Guy D) Date: Mon, 17 Jun 2002 19:21:02 -0400 Subject: [vpn] newbie setting up vpn References: <4.2.0.58.20020616193824.0124ba00@nettech-services.net> <004801c215d4$9642de90$0128a8c0@jupiter> Message-ID: The suggested link was broken for me but I think I found an alternative on the subject: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-01.txt After saying this I notice that the URL was deformed on my email. Well if that happend to anyone else here it is again. ----- Original Message ----- From: "Scott Penno" To: "Nate Harel" Cc: Sent: Monday, June 17, 2002 3:57 AM Subject: Re: [vpn] newbie setting up vpn > Hi Nate, > > From what you're describing, you're attempting to setup a > VPN from the WinXP client on a private network in office B > to a Win2K host on a private network in office A. As these > are Windows boxes, I'm guessing that you're using IPSec. Is > this correct? > The problem here probably lies with the fact that you're > attempting to use IPSec across a network connection that > involves NAT. There are a number of incompatibilities > between IPSec and NAT which is why what you're attempting is > not working. Have a look at > http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-req ts-01.txt for more details about this. > Your best bet would be to create the VPN from the routers at > your networks edge, or attempt to obtain public IP addresses > for the hosts you wish to create a VPN between. > > Scott. > > > > ----- Original Message ----- > From: "Nate Harel" > To: > Sent: Monday, June 17, 2002 9:45 AM > Subject: [vpn] newbie setting up vpn > > > > Hi all, > > > > Forgive my ignorance here but I am trying to set up a > small vpn connection > > between two offices. > > > > Office A: > > win2k machine on a small network behind a Netgear router. > I set up the > > router to forward vpn traffic on port 1723 to the Win2K > machine. That > > machine has been setup to accept incoming calls. I set up > the local network > > using 192.168.0.x addresses. I configured the incoming > connection to accept > > calls from networks with that address range. I also made > the Office A local > > disk shared. > > > > Office B: > > WinXP machine on a small network behind a Netgear router. > Again, I setup > > the router to forward vpn traffic on port 1723. That > machine was setup with > > an outgoing vpn connection to Office A with an IP address > of 192.168.0.100. > > This local network is also 192.168.0.x. > > > > From Office B, I dial out to Office A and get a > connection. I can see the > > connection being made at A. So far all is well. HOWEVER, > from B, I cannot > > see any of Office A's network, files, computers, etc. It > is almost like > > there is no connection at all. > > > > > > HELP!! I am stumped. > > > > > > Nate > > > > > > ---------------------------------- > > Nate Harel > > NetTech Services > > 56 Pickering Street > > Needham, MA 02492 > > Tel: 1-781-559-8176 > > Toll Free: 1-877-567-8936 > > FAX: 1-877-567-8936 > > Email: nharel at nettech-services.com > > www.nettech-services.net > > www.nettech-backup.com > > www.nettech-hosting.com > > ---------------------------------- > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > > > VPN is sponsored by SecurityFocus.com > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.371 / Virus Database: 206 - Release Date: 6/13/02 VPN is sponsored by SecurityFocus.com From andrev at uunet.co.za Thu Jun 20 01:17:59 2002 From: andrev at uunet.co.za (Andre Venter) Date: Thu, 20 Jun 2002 07:17:59 +0200 Subject: [vpn] Cisco IPSec DES Bandwidth Overhead Message-ID: <4C4355E1C401D6118473009027E0199BD9ED90@harx.staff.uunet.co.za> Hi All, Can anybody tell me what the Bandwidth overhead is, as an average percentage, when using Cisco IPSec DES Encryption between two points. Any info would be appreciated, Kind Regards Andre VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Thu Jun 20 02:57:39 2002 From: cgripp at axcelerant.com (Christopher Gripp) Date: Wed, 19 Jun 2002 23:57:39 -0700 Subject: [vpn] Cisco IPSec DES Bandwidth Overhead Message-ID: <4EBB5C35607E7F48B4AE162D956666EFBE27A2@guam.corp.axcelerant.com> 32 bytes for ESP with DES+MD5 -----Original Message----- From: Andre Venter [mailto:andrev at uunet.co.za] Sent: Wed 6/19/2002 10:17 PM To: vpn at securityfocus.com Cc: Subject: [vpn] Cisco IPSec DES Bandwidth Overhead Hi All, Can anybody tell me what the Bandwidth overhead is, as an average percentage, when using Cisco IPSec DES Encryption between two points. Any info would be appreciated, Kind Regards Andre VPN is sponsored by SecurityFocus.com From panthen at gmx.net Thu Jun 20 07:46:43 2002 From: panthen at gmx.net (fabian panthen) Date: Thu, 20 Jun 2002 13:46:43 +0200 Subject: [vpn] checkpoint and sonicwall Message-ID: <3D11C0A3.A33521DC@gmx.net> i'm just a developer, no vpn guru and have the following problem: i need simultaneous access to 2 remote sites, one accessed via checkpoint scureclient and the other via sonicwall vpn client. used to work fine with the crappy win me on my laptop but had to switch to win2k for .net install. since the i can only have one or the other installed for either one to work. this makes developing very uneasy so the question is whether i can access both vpn's with only one client? any experience? thx fabian VPN is sponsored by SecurityFocus.com From Joel.Snyder at Opus1.COM Thu Jun 20 01:53:59 2002 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Wed, 19 Jun 2002 22:53:59 -0700 Subject: [vpn] Cisco IPSec DES Bandwidth Overhead References: <4C4355E1C401D6118473009027E0199BD9ED90@harx.staff.uunet.co.za> Message-ID: <3D116DF7.895EA117@opus1.com> IPSEC adds between 50 and 57 octets of data to an IP packet for a normal ESP+3DES+SHA tunnel. This is invariant of packet size, modulo the 8-octet padding boundary. The bandwidth increase is largely irrelevant. What kills you is when large packets (1500 octets) must be fragmented because the now-larger packet is too big for the MTU. This can double your packet count: you end up with alternating large/small packets and this plays havoc with the network. Networks operate poorly because they have too many packets, not because they have too many bits. jms Andre Venter wrote: > > Hi All, > > Can anybody tell me what the Bandwidth overhead is, as an average percentage, when using Cisco IPSec DES Encryption between two points. > > Any info would be appreciated, > > Kind Regards > > Andre > > VPN is sponsored by SecurityFocus.com -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2067 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.shmoo.com/pipermail/vpn/attachments/20020619/a30e78ad/attachment.bin From Joel.Snyder at Opus1.COM Thu Jun 20 10:13:28 2002 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Thu, 20 Jun 2002 07:13:28 -0700 Subject: [vpn] Cisco IPSec DES Bandwidth Overhead References: <4EBB5C35607E7F48B4AE162D956666EFBE27A2@guam.corp.axcelerant.com> Message-ID: <3D11E309.372B0789@opus1.com> > 32 bytes for ESP with DES+MD5 No, definitely more than that. Here's the breakdown: 20 octets for the IP tunnel header. 4 for the SPI 4 for the sequence number 8 for the IV (DES/3DES are the same; 64-bit IV) some amount of padding, which may be between 0 and 7 octets 1 octet for pad length 1 octet for next header 16 octets for the ICV (hash) (HMAC-SHA1-96 or HMAC-MD5-96 are the same) So I was wrong: it's between 54 and 61. I don't know where I came up with 50 to 57. Probably counted the IV as 4 instead of 8. It was late here... jms Christopher Gripp wrote: > > 32 bytes for ESP with DES+MD5 > > -----Original Message----- > From: Andre Venter [mailto:andrev at uunet.co.za] > Sent: Wed 6/19/2002 10:17 PM > To: vpn at securityfocus.com > Cc: > Subject: [vpn] Cisco IPSec DES Bandwidth Overhead > > > > Hi All, > > Can anybody tell me what the Bandwidth overhead is, as an average percentage, when using Cisco IPSec DES Encryption between two points. > > Any info would be appreciated, > > Kind Regards > > Andre > > > VPN is sponsored by SecurityFocus.com > > -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2067 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.shmoo.com/pipermail/vpn/attachments/20020620/0d825cd4/attachment.bin From cgripp at axcelerant.com Thu Jun 20 12:30:53 2002 From: cgripp at axcelerant.com (Christopher Gripp) Date: Thu, 20 Jun 2002 09:30:53 -0700 Subject: [vpn] Cisco IPSec DES Bandwidth Overhead Message-ID: <4EBB5C35607E7F48B4AE162D956666EFF6EF90@guam.corp.axcelerant.com> Thanks for the breakdown. It was my failure to reference a good source of information. FYI, the source was a Linux article; http://www.linuxsecurity.com/feature_stories/yavipin-vpn.html Christopher Gripp Systems Engineer Axcelerant "A dead thing can go with the stream, but only a living thing can go against it." G.K. Chesterton > -----Original Message----- > From: Joel M Snyder [mailto:Joel.Snyder at Opus1.COM] > Sent: Thursday, June 20, 2002 7:13 AM > To: Christopher Gripp > Cc: Andre Venter; vpn at securityfocus.com > Subject: Re: [vpn] Cisco IPSec DES Bandwidth Overhead > > > > 32 bytes for ESP with DES+MD5 > > No, definitely more than that. Here's the breakdown: > > 20 octets for the IP tunnel header. > 4 for the SPI > 4 for the sequence number > 8 for the IV (DES/3DES are the same; 64-bit IV) > some amount of padding, which may be between 0 and 7 octets > 1 octet for pad length > 1 octet for next header > 16 octets for the ICV (hash) (HMAC-SHA1-96 or HMAC-MD5-96 are > the same) > > So I was wrong: it's between 54 and 61. > > I don't know where I came up with 50 to 57. Probably counted > the IV as > 4 instead of 8. It was late here... > > jms > > > Christopher Gripp wrote: > > > > 32 bytes for ESP with DES+MD5 > > > > -----Original Message----- > > From: Andre Venter [mailto:andrev at uunet.co.za] > > Sent: Wed 6/19/2002 10:17 PM > > To: vpn at securityfocus.com > > Cc: > > Subject: [vpn] Cisco IPSec DES Bandwidth Overhead > > > > > > > > Hi All, > > > > Can anybody tell me what the Bandwidth overhead is, > as an average percentage, when using Cisco IPSec DES > Encryption between two points. > > > > Any info would be appreciated, > > > > Kind Regards > > > > Andre > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > -- > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 > Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) > jms at Opus1.COM http://www.opus1.com/jms Opus One > VPN is sponsored by SecurityFocus.com From Mike.Hancock at sourcemed.net Thu Jun 20 14:55:00 2002 From: Mike.Hancock at sourcemed.net (Mike Hancock) Date: Thu, 20 Jun 2002 13:55:00 -0500 Subject: [vpn] MD5 vs. SHA Message-ID: <7B0453A9A8227C4EADBA6AAEC29CDDA1921A7B@smbhmex01.corp.sourcemed.net> Can anyone explain the difference between MD5 and SHA (besides 128 vs 160 bits) or point me to a good reason to use one over the other? _______________________________ Mike Hancock VPN is sponsored by SecurityFocus.com From jogegabsd at intelnet.net.gt Thu Jun 20 17:23:00 2002 From: jogegabsd at intelnet.net.gt (jogegabsd) Date: Thu, 20 Jun 2002 15:23:00 -0600 Subject: [vpn] MD5 vs. SHA In-Reply-To: <7B0453A9A8227C4EADBA6AAEC29CDDA1921A7B@smbhmex01.corp.sourcemed.net> Message-ID: > Can anyone explain the difference between MD5 and SHA > (besides 128 vs 160 bits) or point me to a good reason to > use one over > the other? AFAIK MD5 is faster. But SHA-1 is stronger against brute force attacks. It's just a faster implementation. HTH Gerardo Amaya VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Thu Jun 20 19:18:34 2002 From: cgripp at axcelerant.com (Christopher Gripp) Date: Thu, 20 Jun 2002 16:18:34 -0700 Subject: [vpn] MD5 vs. SHA Message-ID: <4EBB5C35607E7F48B4AE162D956666EFF6EF9A@guam.corp.axcelerant.com> As found in "Applied Crypto" SHA is MD4 with the addition of an expand transformation, an extra round and better avalanche effect MD5 is MD4 with improved bit hashin, an extra round and better avalanche effect There are no known cryptographic attacks against SHA. Because it produces a 160 bit hash, it is more resistant to brute-force attacks (including birthday attacks) than a 128 bit hash function. Christopher Gripp Systems Engineer Axcelerant "To be unhappy over what one lacks is to waste what one already possesses." > -----Original Message----- > From: Mike Hancock [mailto:Mike.Hancock at sourcemed.net] > Sent: Thursday, June 20, 2002 11:55 AM > To: vpn at securityfocus.com > Subject: [vpn] MD5 vs. SHA > > > Can anyone explain the difference between MD5 and SHA > (besides 128 vs 160 bits) or point me to a good reason to > use one over > the other? > > _______________________________ > Mike Hancock > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From jimd at lmi.net Thu Jun 20 21:16:21 2002 From: jimd at lmi.net (Jim Dueltgen) Date: Thu, 20 Jun 2002 18:16:21 -0700 Subject: [vpn] Transparent bridging over Cisco VPN? Message-ID: I'm wondering if anyone knows whether or not the Cisco 3000-series VPN servers (or any other VPN concentrator you're familiar with) support protocol-transparent bridging to remote hardware clients, such as the Cisco 806 Broadband router or the VPN 3002 Hardware Client. The literature for the 806 seems to suggest it's possible at that end but I can't find anything one way or the other on the 3000-series. The question is being driven by the need to support Appletalk over a VPN sooner than all the end-users can reasonably upgrade to OS X which would eliminate the need to use Appletalk and transparent bridging. I've done this in point-to-point applications with low-end FlowPoint/Efficient DSL routers but that won't work for us in this situation. Any guidance would be appreciated. Regards, - Jim Dueltgen LMi.net VPN is sponsored by SecurityFocus.com From jtixthus at attbi.com Thu Jun 20 23:19:37 2002 From: jtixthus at attbi.com (jt) Date: Thu, 20 Jun 2002 20:19:37 -0700 Subject: [vpn] Transparent bridging over Cisco VPN? References: Message-ID: <002e01c218d2$79798100$0400a8c0@we.client2.attbi.com> How about redirecting the vpn tunnel to the internet router and then tunneling the appletalk in an IP friendly packet to the remote site? JT ----- Original Message ----- From: "Jim Dueltgen" To: Sent: Thursday, June 20, 2002 6:16 PM Subject: [vpn] Transparent bridging over Cisco VPN? > I'm wondering if anyone knows whether or not the Cisco 3000-series > VPN servers (or any other VPN concentrator you're familiar with) > support protocol-transparent bridging to remote hardware clients, > such as the Cisco 806 Broadband router or the VPN 3002 Hardware > Client. The literature for the 806 seems to suggest it's possible at > that end but I can't find anything one way or the other on the > 3000-series. The question is being driven by the need to support > Appletalk over a VPN sooner than all the end-users can reasonably > upgrade to OS X which would eliminate the need to use Appletalk and > transparent bridging. I've done this in point-to-point applications > with low-end FlowPoint/Efficient DSL routers but that won't work for > us in this situation. Any guidance would be appreciated. > > Regards, > > > - Jim Dueltgen > LMi.net > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From steve at rotdoctor.com Fri Jun 21 11:26:15 2002 From: steve at rotdoctor.com (schowning) Date: Fri, 21 Jun 2002 08:26:15 -0700 Subject: [vpn] Transparent bridging over Cisco VPN? In-Reply-To: <002e01c218d2$79798100$0400a8c0@we.client2.attbi.com> References: <002e01c218d2$79798100$0400a8c0@we.client2.attbi.com> Message-ID: Open Door Networks has some client software that converts AppleTalk to TCP/IP which should then be able to be transmitted over any normal network. Check out: http://www.opendoor.com/shareway/ for more info. Steve Chowning >How about redirecting the vpn tunnel to the internet router and then >tunneling the appletalk in an IP friendly packet to the remote site? > >JT > > >----- Original Message ----- >From: "Jim Dueltgen" >To: >Sent: Thursday, June 20, 2002 6:16 PM >Subject: [vpn] Transparent bridging over Cisco VPN? > > >> I'm wondering if anyone knows whether or not the Cisco 3000-series >> VPN servers (or any other VPN concentrator you're familiar with) >> support protocol-transparent bridging to remote hardware clients, >> such as the Cisco 806 Broadband router or the VPN 3002 Hardware >> Client. The literature for the 806 seems to suggest it's possible at >> that end but I can't find anything one way or the other on the >> 3000-series. The question is being driven by the need to support >> Appletalk over a VPN sooner than all the end-users can reasonably >> upgrade to OS X which would eliminate the need to use Appletalk and >> transparent bridging. I've done this in point-to-point applications >> with low-end FlowPoint/Efficient DSL routers but that won't work for >> us in this situation. Any guidance would be appreciated. >> >> Regards, >> >> >> - Jim Dueltgen > > LMi.net > > > > VPN is sponsored by SecurityFocus.com > > > > >VPN is sponsored by SecurityFocus.com -- "Face piles of trials with smiles. It riles them to believe that you perceive the web they weave" - Moody Blues VPN is sponsored by SecurityFocus.com From rtwatson at qwest.net Fri Jun 21 21:53:12 2002 From: rtwatson at qwest.net (Travis Watson) Date: 21 Jun 2002 18:53:12 -0700 Subject: [vpn] checkpoint and sonicwall In-Reply-To: <3D11C0A3.A33521DC@gmx.net> References: <3D11C0A3.A33521DC@gmx.net> Message-ID: <1024710794.2178.11.camel@dell1.traviswatson.net> I haven't seen anyone respond as yet, so I'll take a stab at it. Though I've never worked with Sonicwall, I've worked with several other IPSec VPN clients (including Checkpoint's) and I have yet to see two of them play nice with each other. I have seen the FreeS/WAN client play with both a Nortel Contivity, FreeBSD box and Linux box (latter two using FreeS/WAN, of course), but the Contivity had to be configured to use FreeS/WAN and, on the Contivity side, WINS was lost in the process (understandably), so it didn't do a whole lot of good for someone wanting to get to a bunch of Windows resources by DNS name. The network was lacking anything Samba as well, so the FreeS/WAN wasn't much use either unless it was for UNIX sysads needing to do command line banging. It was just a test, really. So, in short, I think you're screwed. Sorry to the be the bringer of bad news, and I hope I'm wrong, but you are probably stuck having to go through install/reinstall hell unless you get a small hardware device of your own and eliminate the client software piece completely. If this is a long term thing and necessary for work, you might be able to talk boss man into it--especially if others can use it. A Netscreen 5xp (for example) retails at $495 with $150/yr support costs--not all too expensive, really. Just a thought. Good luck. --Travis On Thu, 2002-06-20 at 04:46, fabian panthen wrote: > i'm just a developer, no vpn guru and have the following problem: > > i need simultaneous access to 2 remote sites, one accessed via > checkpoint scureclient and the other via sonicwall vpn client. > used to work fine with the crappy win me on my laptop but had to switch > to win2k > for .net install. since the i can only have one or the other installed > for either one to work. > this makes developing very uneasy so the question is whether i can > access both > vpn's with only one client? > any experience? > > thx > > fabian > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Fri Jun 21 15:45:51 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Fri, 21 Jun 2002 14:45:51 -0500 Subject: [vpn] MD5 vs. SHA Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187FCCC@mail.bai.org> There have been advances in better-than-brute-force attacks against MD5. >From http://www.ietf.org/rfc/rfc1828.txt: "...it is known to be possible to produce collisions in the compression function of MD5. There is not yet a known method to exploit these collisions to attack MD5 in practice, but this fact is disturbing to some authors." SHA-1 is simply a better choice in light of its longer digest and resistance to the aforementioned compression function attacks. Any performance penalty is minimal, so why not use it? -----Original Message----- From: Christopher Gripp [mailto:cgripp at axcelerant.com] Sent: Thursday, June 20, 2002 6:19 PM To: Mike Hancock; vpn at securityfocus.com Subject: RE: [vpn] MD5 vs. SHA As found in "Applied Crypto" SHA is MD4 with the addition of an expand transformation, an extra round and better avalanche effect MD5 is MD4 with improved bit hashin, an extra round and better avalanche effect There are no known cryptographic attacks against SHA. Because it produces a 160 bit hash, it is more resistant to brute-force attacks (including birthday attacks) than a 128 bit hash function. Christopher Gripp Systems Engineer Axcelerant "To be unhappy over what one lacks is to waste what one already possesses." > -----Original Message----- > From: Mike Hancock [mailto:Mike.Hancock at sourcemed.net] > Sent: Thursday, June 20, 2002 11:55 AM > To: vpn at securityfocus.com > Subject: [vpn] MD5 vs. SHA > > > Can anyone explain the difference between MD5 and SHA > (besides 128 vs 160 bits) or point me to a good reason to > use one over > the other? > > _______________________________ > Mike Hancock > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From TKoopman at SonicWALL.com Sat Jun 22 14:39:40 2002 From: TKoopman at SonicWALL.com (TKoopman at SonicWALL.com) Date: Sat, 22 Jun 2002 11:39:40 -0700 Subject: [vpn] checkpoint and sonicwall Message-ID: <7B8824D690092B4B90B0EF4674750A6501CA08BA@USEXCH3.us.sonicwall.com> Fabian, Travis has summed it up. The Checkpoint SecureRemote client has not been successfully configured to connect to the SonicWALL VPN. The SonicWALL VPN client is the Safenet client used by many vendors. Look around to see if anyone has gotten the safenet client to connect to a Checkpoint. Most likely, there are some IPSEC parameters that need to be tweaked to get either of these clients to work. If you do not have control and permissions to change security association parameters, then you probably won't succeed. Travis does have the right suggestion. Use a VPN firewall/appliance. He suggest a Netscreen. I suggest a SonicWALL TELE3. And not just because I work for SonicWALL :). Why introduce a third platform to deal with. The SonicWALL can establish a tunnel to a Checkpoint. This is documented on our website. And you won't have any problems establishing a tunnel between your two SonicWALLs. As long as one of the two endpoints has a static WAN IP address. Best Regards Todd Koopman SonicWALL -----Original Message----- From: Travis Watson [mailto:rtwatson at qwest.net] Sent: Friday, June 21, 2002 6:53 PM To: fabian panthen Cc: vpn at securityfocus.com Subject: Re: [vpn] checkpoint and sonicwall I haven't seen anyone respond as yet, so I'll take a stab at it. Though I've never worked with Sonicwall, I've worked with several other IPSec VPN clients (including Checkpoint's) and I have yet to see two of them play nice with each other. I have seen the FreeS/WAN client play with both a Nortel Contivity, FreeBSD box and Linux box (latter two using FreeS/WAN, of course), but the Contivity had to be configured to use FreeS/WAN and, on the Contivity side, WINS was lost in the process (understandably), so it didn't do a whole lot of good for someone wanting to get to a bunch of Windows resources by DNS name. The network was lacking anything Samba as well, so the FreeS/WAN wasn't much use either unless it was for UNIX sysads needing to do command line banging. It was just a test, really. So, in short, I think you're screwed. Sorry to the be the bringer of bad news, and I hope I'm wrong, but you are probably stuck having to go through install/reinstall hell unless you get a small hardware device of your own and eliminate the client software piece completely. If this is a long term thing and necessary for work, you might be able to talk boss man into it--especially if others can use it. A Netscreen 5xp (for example) retails at $495 with $150/yr support costs--not all too expensive, really. Just a thought. Good luck. --Travis On Thu, 2002-06-20 at 04:46, fabian panthen wrote: > i'm just a developer, no vpn guru and have the following problem: > > i need simultaneous access to 2 remote sites, one accessed via > checkpoint scureclient and the other via sonicwall vpn client. > used to work fine with the crappy win me on my laptop but had to switch > to win2k > for .net install. since the i can only have one or the other installed > for either one to work. > this makes developing very uneasy so the question is whether i can > access both > vpn's with only one client? > any experience? > > thx > > fabian > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From scott.penno at gennex.com.au Sat Jun 22 20:08:35 2002 From: scott.penno at gennex.com.au (Scott Penno) Date: Sun, 23 Jun 2002 10:08:35 +1000 Subject: [vpn] checkpoint and sonicwall References: <3D11C0A3.A33521DC@gmx.net> <1024710794.2178.11.camel@dell1.traviswatson.net> Message-ID: <003c01c21a4a$219ffb70$0128a8c0@jupiter> Similarly, I've used software clients from a number of vendors (including TimeStep PERMIT/Client, Checkpoint, Windows 2000 and FreeBSD) to talk to various hadware devices including those from Allied Telesyn, TimeStep, Checkpoint and Cisco with a reasonable level of success. I'm not sure about both the clients, but if they're both using IPSec and are both attempting to bind to UDP port 500 for ISAKMP messages, then someone is going to lose out. If this is the case, I can't explain why it has worked in the past. If they are both using IPSec and you know the parameters for each device, you should be able to use one of the clients to connect to both devices, or failling that, configure the IPSec functionality within Windows 2000 to connect to both boxes. Scott. ----- Original Message ----- From: "Travis Watson" To: "fabian panthen" Cc: Sent: Saturday, June 22, 2002 11:53 AM Subject: Re: [vpn] checkpoint and sonicwall > I haven't seen anyone respond as yet, so I'll take a stab at it. > > Though I've never worked with Sonicwall, I've worked with several other > IPSec VPN clients (including Checkpoint's) and I have yet to see two of > them play nice with each other. > > I have seen the FreeS/WAN client play with both a Nortel Contivity, > FreeBSD box and Linux box (latter two using FreeS/WAN, of course), but > the Contivity had to be configured to use FreeS/WAN and, on the > Contivity side, WINS was lost in the process (understandably), so it > didn't do a whole lot of good for someone wanting to get to a bunch of > Windows resources by DNS name. The network was lacking anything Samba > as well, so the FreeS/WAN wasn't much use either unless it was for UNIX > sysads needing to do command line banging. It was just a test, really. > > So, in short, I think you're screwed. Sorry to the be the bringer of > bad news, and I hope I'm wrong, but you are probably stuck having to go > through install/reinstall hell unless you get a small hardware device of > your own and eliminate the client software piece completely. If this is > a long term thing and necessary for work, you might be able to talk boss > man into it--especially if others can use it. A Netscreen 5xp (for > example) retails at $495 with $150/yr support costs--not all too > expensive, really. Just a thought. > > Good luck. > > --Travis > > > > On Thu, 2002-06-20 at 04:46, fabian panthen wrote: > > i'm just a developer, no vpn guru and have the following problem: > > > > i need simultaneous access to 2 remote sites, one accessed via > > checkpoint scureclient and the other via sonicwall vpn client. > > used to work fine with the crappy win me on my laptop but had to switch > > to win2k > > for .net install. since the i can only have one or the other installed > > for either one to work. > > this makes developing very uneasy so the question is whether i can > > access both > > vpn's with only one client? > > any experience? > > > > thx > > > > fabian > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > VPN is sponsored by SecurityFocus.com > > > VPN is sponsored by SecurityFocus.com From Stephen.Hope at energis.com Mon Jun 24 08:03:06 2002 From: Stephen.Hope at energis.com (Stephen Hope) Date: Mon, 24 Jun 2002 13:03:06 +0100 Subject: [vpn] Transparent bridging over Cisco VPN? Message-ID: <73BE32DA9E55D511ACF30050BAEA048702A8E929@eisemail.energis.co.uk> I don't think either the VPN 3000 or the 800 series routers support bridging or routing of Appletalk. I found a ref. To bridging support on 800 series in the release notes. http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121relnt/800 /rn800t.htm But that may not support a VPN tunnel. VPN 3000 doesn't seem to mention anything in the docs apart from IP. So, if you want to use either Appletalk routing or bridging you may need some the larger (read more expensive) Cisco routers at each end of the tunnel. I would suggest a 1700 series box at the remote site, and 2600 or bigger at the centre if you have a lot of remotes. These and others can support hardware encryption if you need high bandwidth. It is a long time since Appletalk was a common protocol, but whenever I have built a network supporting it over a WAN I have used routing, which works reasonably well. I wouldn't want to bridge it across a WAN, due to the amount of background traffic an Appletalk end system generates. There is a standards based protocol called "AURP" which tunnels Appletalk over IP. It also has some tools to remap network numbers and reduce overhead traffic. It is supported in cisco IOS (but not on 800 series). The end points are effectively Appletalk routers, with the tunnel acting as a logical network link between them. Alternatively, the L2TP and PPTP protocols can support Appletalk routing and bridging, but you will need an implementation that will work with your other system components. Don't know of any off hand....... Stephen -----Original Message----- From: schowning [mailto:steve at rotdoctor.com] Sent: Friday, June 21, 2002 4:26 PM To: jt; vpn at securityfocus.com Subject: Re: [vpn] Transparent bridging over Cisco VPN? Open Door Networks has some client software that converts AppleTalk to TCP/IP which should then be able to be transmitted over any normal network. Check out: http://www.opendoor.com/shareway/ for more info. Steve Chowning >How about redirecting the vpn tunnel to the internet router and then >tunneling the appletalk in an IP friendly packet to the remote site? > >JT > > >----- Original Message ----- >From: "Jim Dueltgen" >To: >Sent: Thursday, June 20, 2002 6:16 PM >Subject: [vpn] Transparent bridging over Cisco VPN? > > >> I'm wondering if anyone knows whether or not the Cisco 3000-series >> VPN servers (or any other VPN concentrator you're familiar with) >> support protocol-transparent bridging to remote hardware clients, >> such as the Cisco 806 Broadband router or the VPN 3002 Hardware >> Client. The literature for the 806 seems to suggest it's possible at >> that end but I can't find anything one way or the other on the >> 3000-series. The question is being driven by the need to support >> Appletalk over a VPN sooner than all the end-users can reasonably >> upgrade to OS X which would eliminate the need to use Appletalk and >> transparent bridging. I've done this in point-to-point applications >> with low-end FlowPoint/Efficient DSL routers but that won't work for >> us in this situation. Any guidance would be appreciated. >> >> Regards, >> >> >> - Jim Dueltgen > > LMi.net > > > > VPN is sponsored by SecurityFocus.com > > > > >VPN is sponsored by SecurityFocus.com -- "Face piles of trials with smiles. It riles them to believe that you perceive the web they weave" - Moody Blues VPN is sponsored by SecurityFocus.com ******************************************************************************************************** This e-mail is from Energis plc, 50 Victoria Embankment, London, EC4Y 0DE, United Kingdom, No: 2630471. This e-mail is confidential to the addressee and may be privileged. The views expressed are personal and do not necessarily reflect those of Energis. If you are not the intended recipient please notify the sender immediately by calling our switchboard on +44 (0) 20 7206 5555 and do not disclose to another person or use, copy or forward all or any of it in any form. ******************************************************************************************************** VPN is sponsored by SecurityFocus.com From jtixthus at attbi.com Tue Jun 25 09:14:17 2002 From: jtixthus at attbi.com (Jim Terry) Date: Tue, 25 Jun 2002 06:14:17 -0700 Subject: [vpn] Transparent bridging over Cisco VPN? References: <73BE32DA9E55D511ACF30050BAEA048702A8E929@eisemail.energis.co.uk> <000c01c21bd2$5b18a8a0$01050c0a@jupiter> Message-ID: <001901c21c4a$363de9a0$0200a8c0@jterry.net> hi all, I have never used an 800 Cisco router but the books have always said it is the first router to use Cisco IOS. I do not see any documentation that shows it has less commands than any other. My guess is the 800 can do any command the others can do. JT ----- Original Message ----- From: "Scott Penno" To: "Jim Dueltgen" Cc: "Stephen Hope" ; "'schowning'" ; "jt" ; Sent: Monday, June 24, 2002 3:56 PM Subject: Re: [vpn] Transparent bridging over Cisco VPN? > Hi all, > > I've used Allied Telesyn routers to create a similar solution using IPX > and L2TP. While it's not a Cisco solution, the routers do support > Appletalk, L2TP and IPSec and should be able to solve your problem. > > Scott. > > > > ----- Original Message ----- > From: "Stephen Hope" > To: "'schowning'" ; "jt" ; > > Sent: Monday, June 24, 2002 10:03 PM > Subject: RE: [vpn] Transparent bridging over Cisco VPN? > > > > I don't think either the VPN 3000 or the 800 series routers support > bridging > > or routing of Appletalk. I found a ref. To bridging support on 800 > series in > > the release notes. > > > > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121relnt/8 > 00 > > /rn800t.htm > > > 80 > > 0/rn800t.htm> > > > > But that may not support a VPN tunnel. > > > > VPN 3000 doesn't seem to mention anything in the docs apart from IP. > > > > So, if you want to use either Appletalk routing or bridging you may need > > some the larger (read more expensive) Cisco routers at each end of the > > tunnel. I would suggest a 1700 series box at the remote site, and 2600 > or > > bigger at the centre if you have a lot of remotes. These and others can > > support hardware encryption if you need high bandwidth. > > > > > > It is a long time since Appletalk was a common protocol, but whenever I > have > > built a network supporting it over a WAN I have used routing, which > works > > reasonably well. I wouldn't want to bridge it across a WAN, due to the > > amount of background traffic an Appletalk end system generates. > > > > > > There is a standards based protocol called "AURP" which tunnels > Appletalk > > over IP. It also has some tools to remap network numbers and reduce > overhead > > traffic. It is supported in cisco IOS (but not on 800 series). The end > > points are effectively Appletalk routers, with the tunnel acting as a > > logical network link between them. > > > > Alternatively, the L2TP and PPTP protocols can support Appletalk > routing > > and bridging, but you will need an implementation that will work with > your > > other system components. Don't know of any off hand....... > > > > Stephen > > > > -----Original Message----- > > From: schowning [mailto:steve at rotdoctor.com] > > Sent: Friday, June 21, 2002 4:26 PM > > To: jt; vpn at securityfocus.com > > Subject: Re: [vpn] Transparent bridging over Cisco VPN? > > > > Open Door Networks has some client software that converts AppleTalk > > to TCP/IP which should then be able to be transmitted over any normal > > network. Check out: > > http://www.opendoor.com/shareway/ > > for more info. > > > > Steve Chowning > > > > >How about redirecting the vpn tunnel to the internet router and then > > >tunneling the appletalk in an IP friendly packet to the remote site? > > > > > >JT > > > > > > > > >----- Original Message ----- > > >From: "Jim Dueltgen" > > >To: > > >Sent: Thursday, June 20, 2002 6:16 PM > > >Subject: [vpn] Transparent bridging over Cisco VPN? > > > > > > > > >> I'm wondering if anyone knows whether or not the Cisco 3000-series > > >> VPN servers (or any other VPN concentrator you're familiar with) > > >> support protocol-transparent bridging to remote hardware clients, > > >> such as the Cisco 806 Broadband router or the VPN 3002 Hardware > > >> Client. The literature for the 806 seems to suggest it's possible > at > > >> that end but I can't find anything one way or the other on the > > >> 3000-series. The question is being driven by the need to support > > >> Appletalk over a VPN sooner than all the end-users can reasonably > > >> upgrade to OS X which would eliminate the need to use Appletalk and > > >> transparent bridging. I've done this in point-to-point applications > > >> with low-end FlowPoint/Efficient DSL routers but that won't work for > > >> us in this situation. Any guidance would be appreciated. > > >> > > >> Regards, > > >> > > >> > > >> - Jim Dueltgen > > > > LMi.net > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > > > > > >VPN is sponsored by SecurityFocus.com > > > > > > -- > > "Face piles of trials with smiles. It riles them to believe that you > > perceive the web they weave" - Moody Blues > > > > VPN is sponsored by SecurityFocus.com > > > > > > > ************************************************************************** > ****************************** > > This e-mail is from Energis plc, 50 Victoria Embankment, London, EC4Y > 0DE, United > > Kingdom, No: 2630471. > > > > This e-mail is confidential to the addressee and may be privileged. The > views > > expressed are personal and do not necessarily reflect those of Energis. > If you are not > > the intended recipient please notify the sender immediately by calling > our switchboard on > > +44 (0) 20 7206 5555 and do not disclose to another person or use, copy > or forward > > all or any of it in any form. > > > > > ************************************************************************** > ****************************** > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > VPN is sponsored by SecurityFocus.com From MGL6 at LVCM.COM Tue Jun 25 05:25:26 2002 From: MGL6 at LVCM.COM (Pam) Date: Tue, 25 Jun 2002 10:25:26 +0100 Subject: [vpn] VPN assistance Message-ID: <3D183706.7060209@LVCM.COM> We are trying to connect to "vpn.webcommerce.com.au" with Windows NT 4.0 service pack 6a. The instructions say that Windows NT must maintain two sets of TCP/IP stack settings. We do not know how to accomplish this. Can you be of any assistance. Thanks. Pam Marketing Group, Ltd. 702-387-0995 Ext. 234 VPN is sponsored by SecurityFocus.com From jtixthus at attbi.com Tue Jun 25 09:22:31 2002 From: jtixthus at attbi.com (Jim Terry) Date: Tue, 25 Jun 2002 06:22:31 -0700 Subject: [vpn] Transparent bridging over Cisco VPN? References: <73BE32DA9E55D511ACF30050BAEA048702A8E929@eisemail.energis.co.uk> <000c01c21bd2$5b18a8a0$01050c0a@jupiter> Message-ID: <002b01c21c4b$5c9e0520$0200a8c0@jterry.net> I stand corrected. I looked at the software versions on CCO and only IP, and IPX, and IP plus are supported. Sorry no Appletalk. JT ----- Original Message ----- From: "Scott Penno" To: "Jim Dueltgen" Cc: "Stephen Hope" ; "'schowning'" ; "jt" ; Sent: Monday, June 24, 2002 3:56 PM Subject: Re: [vpn] Transparent bridging over Cisco VPN? > Hi all, > > I've used Allied Telesyn routers to create a similar solution using IPX > and L2TP. While it's not a Cisco solution, the routers do support > Appletalk, L2TP and IPSec and should be able to solve your problem. > > Scott. > > > > ----- Original Message ----- > From: "Stephen Hope" > To: "'schowning'" ; "jt" ; > > Sent: Monday, June 24, 2002 10:03 PM > Subject: RE: [vpn] Transparent bridging over Cisco VPN? > > > > I don't think either the VPN 3000 or the 800 series routers support > bridging > > or routing of Appletalk. I found a ref. To bridging support on 800 > series in > > the release notes. > > > > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121relnt/8 > 00 > > /rn800t.htm > > > 80 > > 0/rn800t.htm> > > > > But that may not support a VPN tunnel. > > > > VPN 3000 doesn't seem to mention anything in the docs apart from IP. > > > > So, if you want to use either Appletalk routing or bridging you may need > > some the larger (read more expensive) Cisco routers at each end of the > > tunnel. I would suggest a 1700 series box at the remote site, and 2600 > or > > bigger at the centre if you have a lot of remotes. These and others can > > support hardware encryption if you need high bandwidth. > > > > > > It is a long time since Appletalk was a common protocol, but whenever I > have > > built a network supporting it over a WAN I have used routing, which > works > > reasonably well. I wouldn't want to bridge it across a WAN, due to the > > amount of background traffic an Appletalk end system generates. > > > > > > There is a standards based protocol called "AURP" which tunnels > Appletalk > > over IP. It also has some tools to remap network numbers and reduce > overhead > > traffic. It is supported in cisco IOS (but not on 800 series). The end > > points are effectively Appletalk routers, with the tunnel acting as a > > logical network link between them. > > > > Alternatively, the L2TP and PPTP protocols can support Appletalk > routing > > and bridging, but you will need an implementation that will work with > your > > other system components. Don't know of any off hand....... > > > > Stephen > > > > -----Original Message----- > > From: schowning [mailto:steve at rotdoctor.com] > > Sent: Friday, June 21, 2002 4:26 PM > > To: jt; vpn at securityfocus.com > > Subject: Re: [vpn] Transparent bridging over Cisco VPN? > > > > Open Door Networks has some client software that converts AppleTalk > > to TCP/IP which should then be able to be transmitted over any normal > > network. Check out: > > http://www.opendoor.com/shareway/ > > for more info. > > > > Steve Chowning > > > > >How about redirecting the vpn tunnel to the internet router and then > > >tunneling the appletalk in an IP friendly packet to the remote site? > > > > > >JT > > > > > > > > >----- Original Message ----- > > >From: "Jim Dueltgen" > > >To: > > >Sent: Thursday, June 20, 2002 6:16 PM > > >Subject: [vpn] Transparent bridging over Cisco VPN? > > > > > > > > >> I'm wondering if anyone knows whether or not the Cisco 3000-series > > >> VPN servers (or any other VPN concentrator you're familiar with) > > >> support protocol-transparent bridging to remote hardware clients, > > >> such as the Cisco 806 Broadband router or the VPN 3002 Hardware > > >> Client. The literature for the 806 seems to suggest it's possible > at > > >> that end but I can't find anything one way or the other on the > > >> 3000-series. The question is being driven by the need to support > > >> Appletalk over a VPN sooner than all the end-users can reasonably > > >> upgrade to OS X which would eliminate the need to use Appletalk and > > >> transparent bridging. I've done this in point-to-point applications > > >> with low-end FlowPoint/Efficient DSL routers but that won't work for > > >> us in this situation. Any guidance would be appreciated. > > >> > > >> Regards, > > >> > > >> > > >> - Jim Dueltgen > > > > LMi.net > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > > > > > >VPN is sponsored by SecurityFocus.com > > > > > > -- > > "Face piles of trials with smiles. It riles them to believe that you > > perceive the web they weave" - Moody Blues > > > > VPN is sponsored by SecurityFocus.com > > > > > > > ************************************************************************** > ****************************** > > This e-mail is from Energis plc, 50 Victoria Embankment, London, EC4Y > 0DE, United > > Kingdom, No: 2630471. > > > > This e-mail is confidential to the addressee and may be privileged. The > views > > expressed are personal and do not necessarily reflect those of Energis. > If you are not > > the intended recipient please notify the sender immediately by calling > our switchboard on > > +44 (0) 20 7206 5555 and do not disclose to another person or use, copy > or forward > > all or any of it in any form. > > > > > ************************************************************************** > ****************************** > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > VPN is sponsored by SecurityFocus.com From nharel at nettech-services.net Tue Jun 25 17:21:22 2002 From: nharel at nettech-services.net (Nate Harel) Date: Tue, 25 Jun 2002 17:21:22 -0400 Subject: [vpn] directing traffic Message-ID: <4.2.0.58.20020625171744.00ffc678@mail.nettech-services.net> I recently set up a small vpn connection between my office and home computer. Other than the slow connection, I am having an interesting problem. I have a W2K machine in my office running behind a Netgear router. Same setup at home. I make the connection to the home computer and all is well. I created a network connection to the home machine and I have a regular connection to my ISP. However, when I have the VPN connection open, all the traffic that used to go out to the ISP is trying to go via the VPN (and therefore, fails). How can I direct traffic that is meant to go out, to not go via the VPN channel? Thanks Nate ---------------------------------- Nate Harel NetTech Services 56 Pickering Street Needham, MA 02492-3198 Tel: 1-781-559-8176 Toll Free: 1-877-567-8936 FAX: 1-877-567-8936 Email: nharel at nettech-services.net www.nettech-services.net www.nettech-backup.com ---------------------------------- VPN is sponsored by SecurityFocus.com From scott.penno at gennex.com.au Mon Jun 24 18:56:12 2002 From: scott.penno at gennex.com.au (Scott Penno) Date: Tue, 25 Jun 2002 08:56:12 +1000 Subject: [vpn] Transparent bridging over Cisco VPN? References: <73BE32DA9E55D511ACF30050BAEA048702A8E929@eisemail.energis.co.uk> Message-ID: <000c01c21bd2$5b18a8a0$01050c0a@jupiter> Hi all, I've used Allied Telesyn routers to create a similar solution using IPX and L2TP. While it's not a Cisco solution, the routers do support Appletalk, L2TP and IPSec and should be able to solve your problem. Scott. ----- Original Message ----- From: "Stephen Hope" To: "'schowning'" ; "jt" ; Sent: Monday, June 24, 2002 10:03 PM Subject: RE: [vpn] Transparent bridging over Cisco VPN? > I don't think either the VPN 3000 or the 800 series routers support bridging > or routing of Appletalk. I found a ref. To bridging support on 800 series in > the release notes. > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121relnt/8 00 > /rn800t.htm > 0/rn800t.htm> > > But that may not support a VPN tunnel. > > VPN 3000 doesn't seem to mention anything in the docs apart from IP. > > So, if you want to use either Appletalk routing or bridging you may need > some the larger (read more expensive) Cisco routers at each end of the > tunnel. I would suggest a 1700 series box at the remote site, and 2600 or > bigger at the centre if you have a lot of remotes. These and others can > support hardware encryption if you need high bandwidth. > > > It is a long time since Appletalk was a common protocol, but whenever I have > built a network supporting it over a WAN I have used routing, which works > reasonably well. I wouldn't want to bridge it across a WAN, due to the > amount of background traffic an Appletalk end system generates. > > > There is a standards based protocol called "AURP" which tunnels Appletalk > over IP. It also has some tools to remap network numbers and reduce overhead > traffic. It is supported in cisco IOS (but not on 800 series). The end > points are effectively Appletalk routers, with the tunnel acting as a > logical network link between them. > > Alternatively, the L2TP and PPTP protocols can support Appletalk routing > and bridging, but you will need an implementation that will work with your > other system components. Don't know of any off hand....... > > Stephen > > -----Original Message----- > From: schowning [mailto:steve at rotdoctor.com] > Sent: Friday, June 21, 2002 4:26 PM > To: jt; vpn at securityfocus.com > Subject: Re: [vpn] Transparent bridging over Cisco VPN? > > Open Door Networks has some client software that converts AppleTalk > to TCP/IP which should then be able to be transmitted over any normal > network. Check out: > http://www.opendoor.com/shareway/ > for more info. > > Steve Chowning > > >How about redirecting the vpn tunnel to the internet router and then > >tunneling the appletalk in an IP friendly packet to the remote site? > > > >JT > > > > > >----- Original Message ----- > >From: "Jim Dueltgen" > >To: > >Sent: Thursday, June 20, 2002 6:16 PM > >Subject: [vpn] Transparent bridging over Cisco VPN? > > > > > >> I'm wondering if anyone knows whether or not the Cisco 3000-series > >> VPN servers (or any other VPN concentrator you're familiar with) > >> support protocol-transparent bridging to remote hardware clients, > >> such as the Cisco 806 Broadband router or the VPN 3002 Hardware > >> Client. The literature for the 806 seems to suggest it's possible at > >> that end but I can't find anything one way or the other on the > >> 3000-series. The question is being driven by the need to support > >> Appletalk over a VPN sooner than all the end-users can reasonably > >> upgrade to OS X which would eliminate the need to use Appletalk and > >> transparent bridging. I've done this in point-to-point applications > >> with low-end FlowPoint/Efficient DSL routers but that won't work for > >> us in this situation. Any guidance would be appreciated. > >> > >> Regards, > >> > >> > >> - Jim Dueltgen > > > LMi.net > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > >VPN is sponsored by SecurityFocus.com > > > -- > "Face piles of trials with smiles. It riles them to believe that you > perceive the web they weave" - Moody Blues > > VPN is sponsored by SecurityFocus.com > > > ************************************************************************** ****************************** > This e-mail is from Energis plc, 50 Victoria Embankment, London, EC4Y 0DE, United > Kingdom, No: 2630471. > > This e-mail is confidential to the addressee and may be privileged. The views > expressed are personal and do not necessarily reflect those of Energis. If you are not > the intended recipient please notify the sender immediately by calling our switchboard on > +44 (0) 20 7206 5555 and do not disclose to another person or use, copy or forward > all or any of it in any form. > > ************************************************************************** ****************************** > > > VPN is sponsored by SecurityFocus.com > > > VPN is sponsored by SecurityFocus.com From scott.penno at gennex.com.au Tue Jun 25 19:56:10 2002 From: scott.penno at gennex.com.au (Scott Penno) Date: Wed, 26 Jun 2002 09:56:10 +1000 Subject: [vpn] directing traffic References: <4.2.0.58.20020625171744.00ffc678@mail.nettech-services.net> Message-ID: <007b01c21ca3$e1df4cf0$0128a8c0@jupiter> Hi Nate, Just want to try and get a better picture of what is occuring. You have a W2K machine in the office connected to a Netgear router that is connected to the Internet with the same at home. I take it that you only have one Internet connection at each location and that that is the connection to the Netgear router? And you're using the VPN functionality of W2K or is the Netgear router performing this functionality? If you only have the one Internet connection at each location, then either way I'd suspect the VPN configuration as being the cause of your problems in that the VPN appears to be picking up all traffic rather than just the traffic that is destined from the office to home or vice versa. Scott. ----- Original Message ----- From: "Nate Harel" To: Sent: Wednesday, June 26, 2002 7:21 AM Subject: [vpn] directing traffic > I recently set up a small vpn connection between my office and home > computer. Other than the slow connection, I am having an interesting problem. > > I have a W2K machine in my office running behind a Netgear router. Same > setup at home. I make the connection to the home computer and all is well. > I created a network connection to the home machine and I have a regular > connection to my ISP. > > However, when I have the VPN connection open, all the traffic that used to > go out to the ISP is trying to go via the VPN (and therefore, fails). > > How can I direct traffic that is meant to go out, to not go via the VPN > channel? > > > Thanks > Nate > > ---------------------------------- > Nate Harel > NetTech Services > 56 Pickering Street > Needham, MA 02492-3198 > Tel: 1-781-559-8176 > Toll Free: 1-877-567-8936 > FAX: 1-877-567-8936 > Email: nharel at nettech-services.net > www.nettech-services.net > www.nettech-backup.com > ---------------------------------- > > > VPN is sponsored by SecurityFocus.com > > > VPN is sponsored by SecurityFocus.com From neale at lowendale.com.au Wed Jun 26 08:11:20 2002 From: neale at lowendale.com.au (Neale Banks) Date: Wed, 26 Jun 2002 22:11:20 +1000 (EST) Subject: [vpn] Multilink-PPP/L2TP Message-ID: Not strictly a VPN question as such, but using the same technologies to achieve a different end: Has anyone had any success running Multlink-PPP over (at least) two L2TP tunnels? If so what did you use and do? The objective here is to aggregate/bundle two IP-paths into one virtual path to increas the throughput (so encryption etc aren't necessary). Thanks, Neale. VPN is sponsored by SecurityFocus.com From syu at ecmwf.int Wed Jun 26 06:04:33 2002 From: syu at ecmwf.int (Ahmed Benallegue) Date: Wed, 26 Jun 2002 10:04:33 +0000 Subject: [vpn] FreeS/WAN-Cisco IOS AH tunnel References: <73BE32DA9E55D511ACF30050BAEA048702A8E719@eisemail.energis.co.uk> Message-ID: <3D1991B1.5185BD19@ecmwf.int> Hi, I had no problem to establish an ESP-3DES + ESP-MD5 tunnel between Linux Box running FreeS/WAN v1.96 and a Cisco router running IOS v.12.1(7a)E6. I am trying now to configure and establish an AH (either AH-SHA or AH-D5) but I am experiencing some FreeS/WAN configuration issue: the parameter "ah=" is not understood in the ipsec.conf file. So, did anybody experiece this before, and is there any solution?  Thanx. Ahmed -- +-------------------+--------------------------------+ | Ahmed Benallegue | Network Analyst | | ECMWF | e-mail: a.benallegue at ecmwf.int | | United Kingdom | | +-------------------+--------------------------------+ VPN is sponsored by SecurityFocus.com From syu at ecmwf.int Tue Jun 25 06:52:49 2002 From: syu at ecmwf.int (Ahmed Benallegue) Date: Tue, 25 Jun 2002 10:52:49 +0000 Subject: [vpn] CVPN 3.5 - IOS v12.1(7a) + FTP tests strange (maybe not) results References: Message-ID: <3D184B81.D54A2CF0@ecmwf.int> Hi, I am trying to set up an IPSec tunnel between a Laptop running Cisco VPN Client 3.5 on Windows 2000 and a Cisco router 7140 running IOS 2.1(7a)E6 but I haven't succeded so far. I tried everything: preshared keys, dynamic maps... The point is that all the configuration examples I have found so far (mainly on cisco.com) use Cisco IOS v12.2(8)T. So do I have to update my IOS to this version or is there any other configuration possibility? I made some FTP tests (transferring a 12 Mbytes file) between a Cisco 7140 IOS router (in the UK) and a Cisco PIX (in Germany) going through the Internet. I had the following resultes (time transfer + rate): With an ISM enncyption card ENABLED on the 7140 router: AH-SHA : 29s, 404 Kb/s AH-SHA + ESP-DES: 39s, 300 Kb/s ESP-SHA + ESP-DES: 31s, 375 Kb/s With an ISM enncyption card SHUTDOWN on the 7140 router: AH-SHA : 12s, 966 Kb/s (!!) AH-SHA + ESP-DES: 21s, 530 Kb/s ESP-SHA + ESP-DES: 22s, 530 Kb/s It is true that the CPU usage on the router is much more important (up to 100%, mainly due to the encyption process) when the ISM encyption card is shutdown, but I didn't expect this huge performance differences. I thought that the encyption card increases the performances. So, I will be pleased if someone can tell me if this results are normal or if there is any explanation. Thank you very much for any help. Regards, Ahmed VPN is sponsored by SecurityFocus.com From omarkhawaja at yahoo.com Tue Jun 25 21:00:43 2002 From: omarkhawaja at yahoo.com (Omar Khawaja) Date: Tue, 25 Jun 2002 21:00:43 -0400 Subject: [vpn] directing traffic In-Reply-To: <4.2.0.58.20020625171744.00ffc678@mail.nettech-services.net> Message-ID: <000001c21cac$e8567cd0$3600a8c0@okhawaja11> if you are using an IPsec tunnel, you need to enable "Split tunneling" - this will be done on the VPN concentrator. Unfortunatley (as far as I know) if you're using PPTP, there's no recourse.. Omar Khawaja -----Original Message----- From: Nate Harel [mailto:nharel at nettech-services.net] Sent: Tuesday, June 25, 2002 5:21 PM To: vpn at securityfocus.com Subject: [vpn] directing traffic I recently set up a small vpn connection between my office and home computer. Other than the slow connection, I am having an interesting problem. I have a W2K machine in my office running behind a Netgear router. Same setup at home. I make the connection to the home computer and all is well. I created a network connection to the home machine and I have a regular connection to my ISP. However, when I have the VPN connection open, all the traffic that used to go out to the ISP is trying to go via the VPN (and therefore, fails). How can I direct traffic that is meant to go out, to not go via the VPN channel? Thanks Nate ---------------------------------- Nate Harel NetTech Services 56 Pickering Street Needham, MA 02492-3198 Tel: 1-781-559-8176 Toll Free: 1-877-567-8936 FAX: 1-877-567-8936 Email: nharel at nettech-services.net www.nettech-services.net www.nettech-backup.com ---------------------------------- VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From palberto at libero.it Wed Jun 26 04:34:31 2002 From: palberto at libero.it (Alberto Pesce) Date: Wed, 26 Jun 2002 10:34:31 +0200 Subject: [vpn] HOW TO PIX References: <4.2.0.58.20020625171744.00ffc678@mail.nettech-services.net> Message-ID: <009601c21cec$4bc75750$7500a8c0@pescefaa5jjh1x> Where I can find example about configurations of VPN on Cisco PIX 501 Thanks Bye ! Alberto Pesce (Italy) VPN is sponsored by SecurityFocus.com From tony_td at hotmail.com Wed Jun 26 10:50:31 2002 From: tony_td at hotmail.com (Tony_td) Date: Wed, 26 Jun 2002 10:50:31 -0400 Subject: [vpn] QUESTION??? References: <4.2.0.58.20020625171744.00ffc678@mail.nettech-services.net> Message-ID: Good mornning everyone...! I'm going to open a home business in my basement and I would like to obtain some advice and tips on how to implement a small and efficient VPN network.. If you can provide me with a step by step guide on how to get started. -What kind of ISP connection? -How many public static IP addresses are needed? -Do I need to register a DNS name? -Which ISP is the most cost effective? -Which VPN GATEWAY would be suitable for this project? -What kind of server? -Which Firewall would I consider? Thanks Tony! PS: And implementing TERMINAL SERVER? VPN is sponsored by SecurityFocus.com From necsam at johncsullivan.com Wed Jun 26 13:12:43 2002 From: necsam at johncsullivan.com (John C. Sullivan) Date: Wed, 26 Jun 2002 13:12:43 -0400 Subject: [vpn] directing traffic References: <000001c21cac$e8567cd0$3600a8c0@okhawaja11> Message-ID: <00f901c21d34$b0240250$b005a8c0@jcsversa> If you are setting up a VPN connection in the Windows machine, I think the "Use default gateway on remote network" is checked by default.. If you want most of your traffic to continue to go outside of the VPN, you need to uncheck this box. On Windows XP, this is in the Advanced TCP/IP settings for the connection. I don't have Win2K but it should be fairly similar. ----- Original Message ----- From: "Omar Khawaja" To: "'Nate Harel'" ; Sent: Tuesday, June 25, 2002 9:00 PM Subject: RE: [vpn] directing traffic if you are using an IPsec tunnel, you need to enable "Split tunneling" - this will be done on the VPN concentrator. Unfortunatley (as far as I know) if you're using PPTP, there's no recourse.. Omar Khawaja -----Original Message----- From: Nate Harel [mailto:nharel at nettech-services.net] Sent: Tuesday, June 25, 2002 5:21 PM To: vpn at securityfocus.com Subject: [vpn] directing traffic I recently set up a small vpn connection between my office and home computer. Other than the slow connection, I am having an interesting problem. I have a W2K machine in my office running behind a Netgear router. Same setup at home. I make the connection to the home computer and all is well. I created a network connection to the home machine and I have a regular connection to my ISP. However, when I have the VPN connection open, all the traffic that used to go out to the ISP is trying to go via the VPN (and therefore, fails). How can I direct traffic that is meant to go out, to not go via the VPN channel? Thanks Nate ---------------------------------- Nate Harel NetTech Services 56 Pickering Street Needham, MA 02492-3198 Tel: 1-781-559-8176 Toll Free: 1-877-567-8936 FAX: 1-877-567-8936 Email: nharel at nettech-services.net www.nettech-services.net www.nettech-backup.com ---------------------------------- VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.372 / Virus Database: 207 - Release Date: 6/20/2002 VPN is sponsored by SecurityFocus.com From crenner at dynalivery.com Wed Jun 26 17:31:21 2002 From: crenner at dynalivery.com (Chuck Renner) Date: Wed, 26 Jun 2002 16:31:21 -0500 Subject: [vpn] limiting access to specified ports on PIX firewall Message-ID: <1D5FFAF04EC5D31182CD00508B5502BD8BCF0A@novac.dynalivery.com> I have a PIX 506 firewall which is also providing VPN access to remote users. For some users, I want to limit the ports they have access to on the internal network, in this case for them to connect to an internal web server. My original thought was to create a new vpngroup, with a new address pool, then create a new access list. I tried to create the access list like this: access-list 102 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80 Where the internal network is 192.168.1.0/24, and the pool for VPN clients is 192.168.3.0/24. However, the PIX isn't accepting this. Am I going about this in completely the wrong way? VPN is sponsored by SecurityFocus.com From Travis.Watson at Honeywell.com Wed Jun 26 16:40:03 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Wed, 26 Jun 2002 13:40:03 -0700 Subject: [vpn] FreeS/WAN-Cisco IOS AH tunnel Message-ID: Ahmed, As a work-around, you are probably better off just running ESP-null encryption. AH-only is a bit of a screwey add-on to IPSec (as an editorial). ESP-null works fine and, of course, doesn't encrypt traffic while authenticating the distant end--assuming that is your end goal. --Travis -----Original Message----- From: Ahmed Benallegue [mailto:syu at ecmwf.int] Sent: Wednesday, June 26, 2002 3:05 AM Cc: vpn at securityfocus.com Subject: [vpn] FreeS/WAN-Cisco IOS AH tunnel Hi, I had no problem to establish an ESP-3DES + ESP-MD5 tunnel between Linux Box running FreeS/WAN v1.96 and a Cisco router running IOS v.12.1(7a)E6. I am trying now to configure and establish an AH (either AH-SHA or AH-D5) but I am experiencing some FreeS/WAN configuration issue: the parameter "ah=" is not understood in the ipsec.conf file. So, did anybody experiece this before, and is there any solution?  Thanx. Ahmed -- +-------------------+--------------------------------+ | Ahmed Benallegue | Network Analyst | | ECMWF | e-mail: a.benallegue at ecmwf.int | | United Kingdom | | +-------------------+--------------------------------+ VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From djdawso at qwest.com Wed Jun 26 13:15:35 2002 From: djdawso at qwest.com (Dana J. Dawson) Date: Wed, 26 Jun 2002 12:15:35 -0500 Subject: [vpn] CVPN 3.5 - IOS v12.1(7a) + FTP tests strange (maybe not) results References: <3D184B81.D54A2CF0@ecmwf.int> Message-ID: <3D19F6B7.AC056F25@qwest.com> Ahmed Benallegue wrote: > Hi, > > I am trying to set up an IPSec tunnel between a Laptop running Cisco VPN > Client 3.5 on Windows 2000 and a Cisco router 7140 running IOS 2.1(7a)E6 > but I haven't succeded so far. > I tried everything: preshared keys, dynamic maps... The point is that > all the configuration examples I have found so far (mainly on > cisco.com) use Cisco IOS v12.2(8)T. So do I have to update my IOS to > this version or is there any other configuration possibility? The Cisco 3.x client is first supported in 12.2(8)T, so you will have to upgrade your router to use that client. Even then, however, IOS does not yet support the full feature set of the 3.x client, most notably the IPSec through NAT feature. For that reason I usually recommend that people use PPTP with MPPE encryption instead of the the Cisco IPSec clients to terminate remote access VPN's in a Cisco router or Cisco PIX, since it works fine through NAT (assuming your NAT device supports PPTP/IPSec pass through, which most of them do today). Good luck! Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.com From john.spanos at adacel.com Thu Jun 27 00:52:35 2002 From: john.spanos at adacel.com (John Spanos) Date: Thu, 27 Jun 2002 14:52:35 +1000 Subject: [vpn] limiting access to specified ports on PIX firewall In-Reply-To: <1D5FFAF04EC5D31182CD00508B5502BD8BCF0A@novac.dynalivery.com> Message-ID: There are two ways to do it - It can be done using a more complex solution. Using RADIUS to AAA VPN Remote Clients you can send back a Filter-Id attribute which has an access-list name/number. Provided this ACL is configured on the PIX then you can dish out ACLs to VPN Remote User on a per-user-basis. Use "sh uauth" to see users and their assigned ACLS. This is what I do. Some of this may vary if you have an old PIX OS. Alternatively if you want a quick fix - By default all IPSec client connections have open access unless an ACL is download via the above method. What you can do is stop the return traffic coming back - i.e. apply the following ACL on your inside interface : access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 eq 80 Hopefully, this should do the trick. -----Original Message----- From: Chuck Renner [mailto:crenner at dynalivery.com] Sent: Thursday, June 27, 2002 7:31 AM To: vpn at securityfocus.com Subject: [vpn] limiting access to specified ports on PIX firewall I have a PIX 506 firewall which is also providing VPN access to remote users. For some users, I want to limit the ports they have access to on the internal network, in this case for them to connect to an internal web server. My original thought was to create a new vpngroup, with a new address pool, then create a new access list. I tried to create the access list like this: access-list 102 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80 Where the internal network is 192.168.1.0/24, and the pool for VPN clients is 192.168.3.0/24. However, the PIX isn't accepting this. Am I going about this in completely the wrong way? VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From tony_td at hotmail.com Thu Jun 27 10:42:55 2002 From: tony_td at hotmail.com (Tony_td) Date: Thu, 27 Jun 2002 10:42:55 -0400 Subject: [vpn] Question!!! References: <000001c21cac$e8567cd0$3600a8c0@okhawaja11> <00f901c21d34$b0240250$b005a8c0@jcsversa> Message-ID: hi! everyone... thanks to all for your advice... Here are more specific specs 1#. It's a home business VPN project. I need (1-50) clients to access my network throught internet. 2#. Do anyone know a good VPN GATEWAY ROUTER which does the trick? and Prices $$$ Canadian? What Do I need? Tell me if I'm misssing anything... -1. DSL Internet -2. 1 stactic IP link to the internet -3. VPN GATEWAY ROUTER 3#. If I use only WIN2K will it sufficcient? thanks! Tony! Ps: ...Thanks to all of you! VPN is sponsored by SecurityFocus.com From greg at nowicki.org Thu Jun 27 00:03:26 2002 From: greg at nowicki.org (Gregory D. Nowicki (Greg)) Date: Wed, 26 Jun 2002 21:03:26 -0700 Subject: [vpn] QUESTION??? In-Reply-To: References: <4.2.0.58.20020625171744.00ffc678@mail.nettech-services.net> Message-ID: <5.1.0.14.0.20020626204415.00abccf0@nowicki.org> Hmmm. These are the questions that a lot of us get paid big money to answer. At 10:50 AM 6/26/02 -0400, Tony_td wrote: >Good mornning everyone...! Good evening! >I'm going to open a home business in my basement and I would like to obtain >some advice and tips on how to implement >a small and efficient VPN network.. > >If you can provide me with a step by step guide on how to get started. > >-What kind of ISP connection? > -How many public static IP addresses are needed? You only _need_ one. > -Do I need to register a DNS name? Do you want people to find you by way of: www.. > -Which ISP is the most cost effective? Where do you live? If you're going to be running an http server, you'll most likely have to get a commercial account. I use Verizon and Aracnet (a local ISP). They don't do port scans, so I can run pretty much anything I desire. >-Which VPN GATEWAY would be suitable for this project? What's on the other end of the VPN? Road warriors? Static branch office? Some setups could provide you with a VPN/firewall combination. >-What kind of server? What are you serving? HTML? SQL? PPTP? >-Which Firewall would I consider? What's your budget and expertise? ;-) Netscreen, SmoothWall, OpenBSD, Checkpoint, Cisco (PIX), there are a lot of them out there with a wide range of prices and administration requirements. >Thanks >Tony! > >PS: And implementing TERMINAL SERVER? Inside of your firewall? Need lots of horsepower and some holes through your firewall. >VPN is sponsored by SecurityFocus.com Firstly, you need to come up with a budget and a list of requirements. Once you've done that, you can ask more specific questions that we may be able to answer. Regards, Greg -------------- next part -------------- --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.372 / Virus Database: 207 - Release Date: 6/20/02 -------------- next part -------------- VPN is sponsored by SecurityFocus.com From jtixthus at attbi.com Fri Jun 28 10:36:09 2002 From: jtixthus at attbi.com (Jim Terry) Date: Fri, 28 Jun 2002 07:36:09 -0700 Subject: [vpn] HOW TO PIX References: <4.2.0.58.20020625171744.00ffc678@mail.nettech-services.net> <009601c21cec$4bc75750$7500a8c0@pescefaa5jjh1x> Message-ID: <002e01c21eb1$24f66f50$0200a8c0@jtxixngte70fxo> cisco.com search for security technical tips JT ----- Original Message ----- From: "Alberto Pesce" To: Sent: Wednesday, June 26, 2002 1:34 AM Subject: [vpn] HOW TO PIX > Where I can find example about configurations of VPN on Cisco PIX 501 > > > Thanks Bye ! > Alberto Pesce (Italy) > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From mcse4dave at HotPOP.com Wed Jun 26 21:58:27 2002 From: mcse4dave at HotPOP.com (Dave) Date: Wed, 26 Jun 2002 18:58:27 -0700 Subject: [vpn] HOW TO PIX References: <4.2.0.58.20020625171744.00ffc678@mail.nettech-services.net> <009601c21cec$4bc75750$7500a8c0@pescefaa5jjh1x> Message-ID: <017801c21d7e$23ff64a0$0201a8c0@house> Hi Alberto, Here are a couple places to look; http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm http://www.cisco.cz/produkty/pdf/pix501_Quick_Start_Guide.pdf Dave ----- Original Message ----- From: "Alberto Pesce" To: Sent: Wednesday, June 26, 2002 1:34 AM Subject: [vpn] HOW TO PIX Where I can find example about configurations of VPN on Cisco PIX 501 Thanks Bye ! Alberto Pesce (Italy) VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From jtixthus at attbi.com Fri Jun 28 10:39:38 2002 From: jtixthus at attbi.com (Jim Terry) Date: Fri, 28 Jun 2002 07:39:38 -0700 Subject: [vpn] Transparent bridging over Cisco VPN? References: <9B15677D28C8BA4F811D004966265092560626@bespems002.bespe.eu.pnu.com> Message-ID: <005001c21eb1$a1833350$0200a8c0@jtxixngte70fxo> What I meant by the first router is the lowest model that runs IOS. The 700 does not run native IOS. JT ----- Original Message ----- From: "DEPOVERE, KOEN [IT/8358]" To: "Jim Terry" Sent: Tuesday, June 25, 2002 11:37 AM Subject: RE: [vpn] Transparent bridging over Cisco VPN? > I does not support OSPF though ;-) > and it defenitely not the first router running IOS. > > my EUR0.2 > > Koen > > -----Original Message----- > From: Jim Terry [mailto:jtixthus at attbi.com] > Sent: dinsdag 25 juni 2002 15:14 > To: vpn at securityfocus.com > Subject: Re: [vpn] Transparent bridging over Cisco VPN? > > > hi all, > > I have never used an 800 Cisco router but the books have always said it is > the first router to use Cisco IOS. I do not see any documentation that > shows it has less commands than any other. My guess is the 800 can do any > command the others can do. > > JT > > > ----- Original Message ----- > From: "Scott Penno" > To: "Jim Dueltgen" > Cc: "Stephen Hope" ; "'schowning'" > ; "jt" ; > Sent: Monday, June 24, 2002 3:56 PM > Subject: Re: [vpn] Transparent bridging over Cisco VPN? > > > > Hi all, > > > > I've used Allied Telesyn routers to create a similar solution using IPX > > and L2TP. While it's not a Cisco solution, the routers do support > > Appletalk, L2TP and IPSec and should be able to solve your problem. > > > > Scott. > > > > > > > > ----- Original Message ----- > > From: "Stephen Hope" > > To: "'schowning'" ; "jt" ; > > > > Sent: Monday, June 24, 2002 10:03 PM > > Subject: RE: [vpn] Transparent bridging over Cisco VPN? > > > > > > > I don't think either the VPN 3000 or the 800 series routers support > > bridging > > > or routing of Appletalk. I found a ref. To bridging support on 800 > > series in > > > the release notes. > > > > > > > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121relnt/8 > > 00 > > > /rn800t.htm > > > > > > 80 > > > 0/rn800t.htm> > > > > > > But that may not support a VPN tunnel. > > > > > > VPN 3000 doesn't seem to mention anything in the docs apart from IP. > > > > > > So, if you want to use either Appletalk routing or bridging you may need > > > some the larger (read more expensive) Cisco routers at each end of the > > > tunnel. I would suggest a 1700 series box at the remote site, and 2600 > > or > > > bigger at the centre if you have a lot of remotes. These and others can > > > support hardware encryption if you need high bandwidth. > > > > > > > > > It is a long time since Appletalk was a common protocol, but whenever I > > have > > > built a network supporting it over a WAN I have used routing, which > > works > > > reasonably well. I wouldn't want to bridge it across a WAN, due to the > > > amount of background traffic an Appletalk end system generates. > > > > > > > > > There is a standards based protocol called "AURP" which tunnels > > Appletalk > > > over IP. It also has some tools to remap network numbers and reduce > > overhead > > > traffic. It is supported in cisco IOS (but not on 800 series). The end > > > points are effectively Appletalk routers, with the tunnel acting as a > > > logical network link between them. > > > > > > Alternatively, the L2TP and PPTP protocols can support Appletalk > > routing > > > and bridging, but you will need an implementation that will work with > > your > > > other system components. Don't know of any off hand....... > > > > > > Stephen > > > > > > -----Original Message----- > > > From: schowning [mailto:steve at rotdoctor.com] > > > Sent: Friday, June 21, 2002 4:26 PM > > > To: jt; vpn at securityfocus.com > > > Subject: Re: [vpn] Transparent bridging over Cisco VPN? > > > > > > Open Door Networks has some client software that converts AppleTalk > > > to TCP/IP which should then be able to be transmitted over any normal > > > network. Check out: > > > http://www.opendoor.com/shareway/ > > > for more info. > > > > > > Steve Chowning > > > > > > >How about redirecting the vpn tunnel to the internet router and then > > > >tunneling the appletalk in an IP friendly packet to the remote site? > > > > > > > >JT > > > > > > > > > > > >----- Original Message ----- > > > >From: "Jim Dueltgen" > > > >To: > > > >Sent: Thursday, June 20, 2002 6:16 PM > > > >Subject: [vpn] Transparent bridging over Cisco VPN? > > > > > > > > > > > >> I'm wondering if anyone knows whether or not the Cisco 3000-series > > > >> VPN servers (or any other VPN concentrator you're familiar with) > > > >> support protocol-transparent bridging to remote hardware clients, > > > >> such as the Cisco 806 Broadband router or the VPN 3002 Hardware > > > >> Client. The literature for the 806 seems to suggest it's possible > > at > > > >> that end but I can't find anything one way or the other on the > > > >> 3000-series. The question is being driven by the need to support > > > >> Appletalk over a VPN sooner than all the end-users can reasonably > > > >> upgrade to OS X which would eliminate the need to use Appletalk and > > > >> transparent bridging. I've done this in point-to-point applications > > > >> with low-end FlowPoint/Efficient DSL routers but that won't work for > > > >> us in this situation. Any guidance would be appreciated. > > > >> > > > >> Regards, > > > >> > > > >> > > > >> - Jim Dueltgen > > > > > LMi.net > > > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > > > > > > > > > >VPN is sponsored by SecurityFocus.com > > > > > > > > > -- > > > "Face piles of trials with smiles. It riles them to believe that you > > > perceive the web they weave" - Moody Blues > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > > > > ************************************************************************** > > ****************************** > > > This e-mail is from Energis plc, 50 Victoria Embankment, London, EC4Y > > 0DE, United > > > Kingdom, No: 2630471. > > > > > > This e-mail is confidential to the addressee and may be privileged. The > > views > > > expressed are personal and do not necessarily reflect those of Energis. > > If you are not > > > the intended recipient please notify the sender immediately by calling > > our switchboard on > > > +44 (0) 20 7206 5555 and do not disclose to another person or use, copy > > or forward > > > all or any of it in any form. > > > > > > > > ************************************************************************** > > ****************************** > > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > > > > > > > > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From ILazar at burtongroup.com Fri Jun 28 11:42:24 2002 From: ILazar at burtongroup.com (Irwin Lazar) Date: Fri, 28 Jun 2002 09:42:24 -0600 Subject: [vpn] HOW TO PIX Message-ID: <53BBA8839E91D51194D200902728944ED63D5D@host3.tbg.com> Try: http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Hardware:PIX ----- Original Message ----- From: "Alberto Pesce" To: Sent: Wednesday, June 26, 2002 1:34 AM Subject: [vpn] HOW TO PIX > Where I can find example about configurations of VPN on Cisco PIX 501 > > > Thanks Bye ! > Alberto Pesce (Italy) > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From djdawso at qwest.com Thu Jun 27 17:52:46 2002 From: djdawso at qwest.com (Dana J. Dawson) Date: Thu, 27 Jun 2002 16:52:46 -0500 Subject: [vpn] limiting access to specified ports on PIX firewall References: Message-ID: <3D1B892D.1FBC121A@qwest.com> There's another approach you can take. All the sample VPN configs show the "sysopt connection permit-ipsec" command as part of the config. It's this command that allows all the IPSec and client VPN traffic to bypass the usual PIX filtering, but you don't have to use it. If you leave that "sysopt" command out, then you can use an access-list to allow different client address pools to access different local addresses. You also have to specifically allow the IPSec traffic into the PIX itself (UDP/500 and IP/50), but that's not too hard. I hope this helps. Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." John Spanos wrote: > There are two ways to do it - > > It can be done using a more complex solution. Using RADIUS to AAA VPN > Remote Clients you can send back a Filter-Id attribute which has an > access-list name/number. Provided this ACL is configured on the PIX then > you can dish out ACLs to VPN Remote User on a per-user-basis. Use "sh > uauth" to see users and their assigned ACLS. This is what I do. Some of > this may vary if you have an old PIX OS. > > Alternatively if you want a quick fix - > > By default all IPSec client connections have open access unless an ACL is > download via the above method. What you can do is stop the return traffic > coming back - i.e. apply the following ACL on your inside interface : > > access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 > 255.255.255.0 eq 80 > > Hopefully, this should do the trick. > > -----Original Message----- > From: Chuck Renner [mailto:crenner at dynalivery.com] > Sent: Thursday, June 27, 2002 7:31 AM > To: vpn at securityfocus.com > Subject: [vpn] limiting access to specified ports on PIX firewall > > I have a PIX 506 firewall which is also providing VPN access to remote > users. For some users, I want to limit the ports they have access to on the > internal network, in this case for them to connect to an internal web > server. > > My original thought was to create a new vpngroup, with a new address pool, > then create a new access list. I tried to create the access list like this: > > access-list 102 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 > 255.255.255.0 eq 80 > > Where the internal network is 192.168.1.0/24, and the pool for VPN clients > is 192.168.3.0/24. However, the PIX isn't accepting this. > > Am I going about this in completely the wrong way? > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From adrian at skytel.com.mx Fri Jun 28 12:52:26 2002 From: adrian at skytel.com.mx (Adrian Olguin) Date: Fri, 28 Jun 2002 11:52:26 -0500 Subject: [vpn] FreeS/WAN Message-ID: <002701c21ec4$31eaa600$fd0101c8@XOCHICALCA> Hi all, I have Firewall-1/VPN-1 doing NAT for our DMZ servers.=20 Here is my diagram (148.245.1.X internet)<---> FW-1/VPN-1 <--->172.16.1.x (DMZ)<---->FW-1/VPN-1<---->Internal Net (192.168.1.x) I would like to try FreeS/WAN VPN solution. When the FreeS/WAN solution = asks me for the external address.=20 What address this would be? 172.16.1.x or 148.245.1.X? 1.- Do i have to put the VPN server at the same segment of the = Firewall-1 or do i have to put FreeS/WAN server behind the Firewall-1 = (remember it is doing NAT)? 2.- NAT is important before setting VPN solutions or it doesn't matter? Thanx Adrian VPN is sponsored by SecurityFocus.com From amyjsc at bigfoot.com Fri Jun 28 16:32:34 2002 From: amyjsc at bigfoot.com (Amy Waiser) Date: Fri, 28 Jun 2002 15:32:34 -0500 Subject: [vpn] FW: help Message-ID: <007201c21ee2$f0a013a0$6401a8c0@waiserssony> -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Friday, June 28, 2002 3:31 PM To: Amy Waiser Subject: Re: help pls send to vpn at securityfocus.com On Fri, 28 Jun 2002, Amy Waiser wrote: > I am a Manager of a small Air Conditioning Distributor. We are > researching new software to run our business on, so naturally at the > same time looking to connect our 9 branches to the system. Currently > we have a UNIX server with pc's & dumb terminals connected through a > digi board. Our branches are in 5 states & currently are not connected > to our server. We are looking for a low cost way for them to have > access to our system during working hours (approximately 50 hours a > week) in hopes of conducting business in real time. I have received > contradicting information from people regarding VPN's, one said we > could run on VPN's another said a VPN would be too slow for real time > transactions. In the field we would have approximately 18 users & 20 > on site in the corporate office. > > Any comments, direction, or advise would be helpful & appreciated. > > Thank You, > Amy Waiser > VPN is sponsored by SecurityFocus.com From jtixthus at attbi.com Sun Jun 30 10:17:26 2002 From: jtixthus at attbi.com (Jim Terry) Date: Sun, 30 Jun 2002 07:17:26 -0700 Subject: [vpn] IPSEC/NAT Message-ID: <007501c22040$dc496af0$0200a8c0@jtxixngte70fxo> Hi all, I know from discussions on here that you cannot do PAT and IPSEC. You may do one tunnel but not two. Does that mean to do 2 tunnels you have to have 2 addresses in your global pool? Is it a 1-to-1 correlation with globals and VPN tunnels or is just a matter of at least 2 globals and unlimited VPN tunnels? Confused. JT VPN is sponsored by SecurityFocus.com From mcse4dave at HotPOP.com Fri Jun 28 20:22:02 2002 From: mcse4dave at HotPOP.com (Dave) Date: Fri, 28 Jun 2002 17:22:02 -0700 Subject: [vpn] Question!!! References: <000001c21cac$e8567cd0$3600a8c0@okhawaja11> <00f901c21d34$b0240250$b005a8c0@jcsversa> Message-ID: <00c301c21f02$fe5b57f0$0201a8c0@house> Hi Tony, ''1. DSL Internet'' 50 clients? - You will need to get a really really good DSL connection or a cable connection even better. ''2. 1 static IP link to the internet'' Yes, you will need a static IP ''3. VPN GATEWAY ROUTER'' You need a router anyway. Since I am running Win2Kpro, I can have one connection - which is all I need. My plain old Linksys befsr41 Non VPN router works just fine - about $80.00USD now a days. Or get the new VPN one, it's about $150. USD ''3#. If I use only WIN2K will it sufficient?'' If you need more than one connection, you need Win2K Server. or Get the Linksys VPN router for $150 and save a $1,000......but for 50 clients you will need a pretty good computer with plenty of memory. Good Luck, Dave ----- Original Message ----- From: "Tony_td" To: Sent: Thursday, June 27, 2002 7:42 AM Subject: [vpn] Question!!! hi! everyone... thanks to all for your advice... Here are more specific specs 1#. It's a home business VPN project. I need (1-50) clients to access my network throught internet. 2#. Do anyone know a good VPN GATEWAY ROUTER which does the trick? and Prices $$$ Canadian? What Do I need? Tell me if I'm misssing anything... -1. DSL Internet -2. 1 stactic IP link to the internet -3. VPN GATEWAY ROUTER 3#. If I use only WIN2K will it sufficcient? thanks! Tony! Ps: ...Thanks to all of you! VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From pjacob at ftmc.com Sun Jun 30 21:51:05 2002 From: pjacob at ftmc.com (Pete Jacob) Date: Sun, 30 Jun 2002 21:51:05 -0400 Subject: [vpn] Multilink-PPP/L2TP In-Reply-To: Message-ID: <5.1.0.14.2.20020630215003.00aa7968@4.18.4.133> here is a good link to accomplish the task. Cheers~ Pete Jacob. http://www.overclockersclub.com/nexland.shtml At 10:11 PM 6/26/2002 +1000, Neale Banks wrote: >Not strictly a VPN question as such, but using the same technologies to >achieve a different end: > >Has anyone had any success running Multlink-PPP over (at least) two L2TP >tunnels? If so what did you use and do? > >The objective here is to aggregate/bundle two IP-paths into one virtual >path to increas the throughput (so encryption etc aren't necessary). > >Thanks, >Neale. -------------- next part -------------- --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.372 / Virus Database: 207 - Release Date: 6/20/2002 -------------- next part -------------- VPN is sponsored by SecurityFocus.com