From jroy at axcelerant.com Tue Oct 1 22:38:10 2002 From: jroy at axcelerant.com (Jerry Roy) Date: Tue, 1 Oct 2002 19:38:10 -0700 Subject: [VPN] Cisco 3000 clients Message-ID: <4EBB5C35607E7F48B4AE162D956666EF0164BD74@guam.corp.axcelerant.com> Hi Folks, Been watching the thread. Need some input if any of you have used the EzVPN capability on the Concentrator with a 1710? I have a large quantity of mobile workers (Unity client) and about 50 branch offices (hoping for 1710 and EzVPN). I want to manage all from the Concentrator and was hoping the EzVPN feature was usuable. Any real world input would be useful. I have done the examples off of Cisco's site but if this is all it offers, whats the point?, it's too basic. Thanks, Jerry Roy [Systems Engineer], [Axcelerant, Inc.] jroy at axcelerant.com Office: (949) 221-7208 Mobile: (562) 305-9545 >-----Original Message----- >From: Siddhartha Jain [mailto:losttoy2000 at yahoo.co.uk] >Sent: Sunday, September 29, 2002 9:55 PM >To: Joel M Snyder; Eirik Schwenke >Cc: vpn at lists.shmoo.com >Subject: Re: [VPN] Cisco 3000 clients > > >Yep. I agree that you can't do a big roll-put with >non-cisco clients if you are using Cisco VPN >concentrator? But why wouldn't you use Cisco VPN >clients if your roaming users are all on Windows >9x/2k/XP? > > --- Joel M Snyder wrote: > >> >You can use any IPSec compliant client with Cisco >> VPN >> >> 3000. >> >> >Whahhahahahahah.... >> >> >No seriously. >> >> I can echo Eirik's sentiment. There's a HUGE >> difference between what is >> possible and what is practical. Yeah, sure, you can >> find an IPsec client for >> virtually anything, and it can be crafted in some >> way so that it is potentially >> possible to talk to almost any VPN gateway >> server---we prove that in our labs >> all the time. >> >> But the reality is that for remote access VPN, >> unless you're doing a trivial >> case with 10 users and a network that never changes, >> the only practical way to >> do this is to use the vendor-supplied client. It's >> not just XAUTH (although >> authentication is a big piece of the picture), but >> also policy updating and >> management, support for NAT traversal ("so many >> standards to pick from; so >> little time to try them all..."), and address >> assignment (mode config). >> >> Yeah, you got a VPN concentrator and this one Linux >> guy at home with a static >> IP address and a known subnet who wants to come in, >> sure, you can make it work. >> But in the general case, forget it. You need to go >> with one of the vendors who >> supports a truly broad range of software and >> hardware clients, which is >> astonishingly slim (hint: they both begin with the >> letter C) if you care about >> multiple platforms. >> >> jms >> >> PS: This is a shortened version of the 3000 word >> rant on VPN remote access to >> appear in Network World on October 28. >> >> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, >> 85719 >> Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 >> (FAX) >> jms at Opus1.COM http://www.opus1.com/jms Opus >> One >> _______________________________________________ >> VPN mailing list >> VPN at lists.shmoo.com >> http://lists.shmoo.com/mailman/listinfo/vpn > >__________________________________________________ >Do You Yahoo!? >Everything you'll ever need on one web page >from News and Sport to Email and Music Charts >http://uk.my.yahoo.com >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn > > From TomM at spectrum-systems.com Wed Oct 2 11:08:46 2002 From: TomM at spectrum-systems.com (Tom McHugh) Date: Wed, 2 Oct 2002 11:08:46 -0400 Subject: [VPN] VPN using Netscreen 5xp Message-ID: <2A0DB5123A51874C82699788F0985ED2064E40@sith.spectrum-systems.com> I work with both the NetScreen hardware and the software, and I think the latter has improved a bit lately. I would suggest, though, that you stick with IKE-based VPNs rather than manual keys because the regular renegotiations of the keys means that the encryption codes keep changing, so its more secure. Tom McHugh, Senior Systems Engineer mailto:tomm at spectrum-systems.com Spectrum Systems, Inc. "Today's Technology--Solutions for Tomorrow" 11320 Random Hills Road, Suite 630 Fairfax, VA 22030-6001 703-591-7400 x218 703-591-9780 (Fax) http://www.spectrum-systems.com/ Stop struggling with your network! You can save yourself the headache of total network management and save money at the same time by using the help and expertise of experienced professionals. Call us at 800-929-3781 or visit us at http://www.spectrum-systems.com to learn more. > -----Original Message----- > From: Chad Osmond [mailto:osmond at holburn.com] > Sent: Monday, September 30, 2002 2:05 PM > To: Watson, Travis > Cc: vpn at lists.shmoo.com > Subject: Re: [VPN] VPN using Netscreen 5xp > > > > I'm a little confused, Chad. You mention setting up a b2b but you > > reference client software as well. And, your remote (which > I presume > > is work) is the end with a dynamic IP address? It seems like I'm > > missing something. > > I'm looking to setup road-warriors -> Office VPN's > > Road warriors have dynamic IP addresses, Office is static. > Office is a NetScreen 5XP device, RW's will have to be some > sort of client > like Netscreen remote, or alternative (Which I'm still trying > to find a good > one) > > > The endpoint IP is usually included as part of the SA, but > you can go > > around that if you use certificates for authentication. I > don't know > > how sophisticated the distant end device is, but the Netscreen can > > handle it--if you can get your hands on a couple of certs and > > convince the distant end to use it, which might be a non-starter. > > The netscreen can also use some sort of Username > authentication and manual > keys, I'm still unsure of how to set this up. Certs are a > possibilty but I'd > like to avoid them for now. Static IP -> Static IP vpn's are > a breeze and I > have a few up now. Just adding the one side dyanmic that > messes me up a bit. > > > Also, Netscreen has their own client software (Netscreen-Remote) > > which sells for a dollar a seat, I'm pretty sure. Their client > > software used to be pretty bad, truthfully, but this new stuff is > > supposed to be excellent. You may well want to give that a go. > > $15.20 CAD / Seat according to the call I was just on. > Minimum order of 10. > I think I'm about to get a demo of their (NS) client to try > and see if I can > get to go. > > > Let me know what I'm missing though--I know I'm not understanding it > > fully. > > I agree it was a little unclear, I need to start drinking coffee or > something in the morning (I think thinkgeek has a caffeinated soap.. I > should look into that.) > > Chad > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From jon-pop at tertial.org Wed Oct 2 17:05:21 2002 From: jon-pop at tertial.org (Jon Still) Date: Wed, 2 Oct 2002 22:05:21 +0100 Subject: [VPN] IPsec Client for Macintosh In-Reply-To: Message-ID: Mac OS X 10.2 has IPSEC built-in in the form of the KAME IPSEC/IPv6 implementation. I've yet to try configuring it, but I'd love to hear from anyone who tries it. Also, Mac OS X has support for PPTP connections from the Internet Connection app. Jon. > On Monday, September 23, 2002, at 03:30 AM, Johan Andersson wrote: > >> >> Hi, >> >> I wonder if there is any one out there that now if there is a vendor >> for >> IPsec >> clients for Macintosh! If so what's the name and the vendors name. I >> don't >> want a client >> from Fx. Cisco and CheckPoint -- Jon Still E-mail: jon-pop at tertial.org tertial.org Web: http://www.tertial.org/ GPG Key: http://xanthein.net/key.asc Key ID: 0x00493D2B -- Jon Still E-mail: jon at tertial.org tertial.org Web: http://www.tertial.org/ GPG Key: http://xanthein.net/key.asc Key ID: 0x00493D2B From palberto at libero.it Fri Oct 4 08:41:29 2002 From: palberto at libero.it (Alberto Pesce) Date: Fri, 4 Oct 2002 14:41:29 +0200 Subject: [VPN] help config PIX 501 Message-ID: <002b01c26ba3$7f5ae5e0$7500a8c0@pescefaa5jjh1x> Hello to everybody! I have a problem: I'm trying to create a VPN based on IPSEC and ISAKMP between a Cisco PIX 501 firewell and a ZyXel Zywall 10. As for the configuration part on the Zywall I have no problems, (it is very simple), but for the part on PIX 501 I have to ask your help. Below I wrote the configuration about the VPN that I set ( I'm not really sure about that!) Network scenario: lan(192.168.0.x)<-->(192.168.0.253)PIX501(A.x.x.x)<-->ROUTER(C.x.x.x) | | ROUTER(D.x.x.x)<-->(B.x.x.x)ZyWall(192.168.10.11)<-->lan(192.168.10.x) A.xxx.xxx.xxx, C.xxx.xxx.xxx, B.xxx.xxx.xxx, D.xxx.xxx.xxx : are static public IP addresses Cisco PIX501 Configuration: PIX Version 6.1(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 .... hostname cdtfw names access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0 interface ethernet0 10baset interface ethernet1 10full ip address outside A.xxx.xxx.xxx 255.255.255.xxx ip address inside 192.168.0.253 255.255.255.0 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 192.168.0.0 255.255.255.0 0 0 rip inside passive version 2 route outside 0.0.0.0 0.0.0.0 C.x.x.x 1 .... sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set ascomcdt esp-3des esp-md5-hmac crypto map transam 1 ipsec-isakmp crypto map transam 1 match address 101 crypto map transam 1 set peer B.xxx.xxx.xxx crypto map transam 1 set transform-set ascomcdt crypto map transam 1 set security-association lifetime seconds 43200 kilobytes 4 608000 crypto map transam interface outside isakmp enable outside isakmp key ******** address B.xxx.xxx.xxx netmask 255.255.255.255 isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 43200 .... After the ping made by a host on the network of PIX 501 I get what follows: How can I interpret them? cdtfw# debug crypto isakmp cdtfw# VPN Peer: ISAKMP: Added new peer: ip:B.xxx.xxx.xxx Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:B.xxx.xxx.xxx Ref cnt incremented to:1 Total VPN Peer s:1 ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block: src B.xxx.xxx.xxx, dest A.xxx.xxx.xxx OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x0 0xa8 0xc0 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN return status is IKMP_NO_ERROR crypto_isakmp_process_block: src B.xxx.xxx.xxx, dest A.xxx.xxx.xxx OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP (0): ID payload next-payload : 8 type : 2 protocol : 17 port : 500 length : 33 ISAKMP (0): Total payload length: 37 return status is IKMP_NO_ERROR ISAKMP (0): retransmitting phase 1... ISAKMP (0): retransmitting phase 1... ISAKMP (0): deleting SA: src A.xxx.xxx.xxx, dst B.xxx.xxx.xxx ISADB: reaper checking SA 0x8094d6c8, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip:B.xxx.xxx.xxx Ref cnt decremented to:0 Total VPN Peer s:1 VPN Peer: ISAKMP: Deleted peer: ip:B.xxx.xxx.xxx Total VPN peers:0 cdtfw# no debug crypto isakmp cdtfw# I hope I have given to you all the informations in order to let you help me. I wait for your suggestions, Thank You From Travis.Watson at Honeywell.com Tue Oct 8 15:15:41 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Tue, 8 Oct 2002 12:15:41 -0700 Subject: [VPN] VPN using Netscreen 5xp Message-ID: Chad, Sorry for the delay--been buried and haven't looked at the list for a while. Anyway, that's definitely more clear--I can be pretty obtuse, have to spell it out for me. I almost choked on the $15.20 figure. If that includes the integrated firewall, then that would be a pretty decent price, actually, but I don't know if it does (rather doubt it). You should never have to pay more than $10/head for the basic client (the buck a piece figure was for 1000 users and up--sorry). The problem with client software is that, usually, there is no real incentive to make it all that solid--just good enough to sell the hardware. That's where NS did it right, in my opinion, in that they gave up on their stuff and went to a company that actually tries to make a living from selling VPN client software only. http://www.ntsecurity.com/netscreen/Scripts/prodList.asp?idCategory=23 If the other device has a dynamic IP, you may well have to pony up the cash to get a routable static or make periodic edits. Certs are the only other way to make it work for certain (that I know of) and both devices have to be able to make a pkcs10 and be able to store the cert for that to happen. I hope I'm wrong, but that's been my experience. --Travis -----Original Message----- From: Chad Osmond [mailto:osmond at holburn.com] Sent: Monday, September 30, 2002 11:05 AM To: Watson, Travis Cc: vpn at lists.shmoo.com Subject: Re: [VPN] VPN using Netscreen 5xp > I'm a little confused, Chad. You mention setting up a b2b but you > reference client software as well. And, your remote (which I presume > is work) is the end with a dynamic IP address? It seems like I'm > missing something. I'm looking to setup road-warriors -> Office VPN's Road warriors have dynamic IP addresses, Office is static. Office is a NetScreen 5XP device, RW's will have to be some sort of client like Netscreen remote, or alternative (Which I'm still trying to find a good one) > The endpoint IP is usually included as part of the SA, but you can go > around that if you use certificates for authentication. I don't know > how sophisticated the distant end device is, but the Netscreen can > handle it--if you can get your hands on a couple of certs and > convince the distant end to use it, which might be a non-starter. The netscreen can also use some sort of Username authentication and manual keys, I'm still unsure of how to set this up. Certs are a possibilty but I'd like to avoid them for now. Static IP -> Static IP vpn's are a breeze and I have a few up now. Just adding the one side dyanmic that messes me up a bit. > Also, Netscreen has their own client software (Netscreen-Remote) > which sells for a dollar a seat, I'm pretty sure. Their client > software used to be pretty bad, truthfully, but this new stuff is > supposed to be excellent. You may well want to give that a go. $15.20 CAD / Seat according to the call I was just on. Minimum order of 10. I think I'm about to get a demo of their (NS) client to try and see if I can get to go. > Let me know what I'm missing though--I know I'm not understanding it > fully. I agree it was a little unclear, I need to start drinking coffee or something in the morning (I think thinkgeek has a caffeinated soap.. I should look into that.) Chad _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From Travis.Watson at Honeywell.com Tue Oct 8 15:18:05 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Tue, 8 Oct 2002 12:18:05 -0700 Subject: [VPN] IPsec Client for Macintosh Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yeah, I hadn't thought of that. They should have racoon as well, yes? Do you think the kernel would have to be recompiled or is it already in the kernel? - --Travis - -----Original Message----- From: Jon Still [mailto:jon-pop at tertial.org] Sent: Wednesday, October 02, 2002 2:05 PM To: vpn at lists.shmoo.com Subject: Re: [VPN] IPsec Client for Macintosh Mac OS X 10.2 has IPSEC built-in in the form of the KAME IPSEC/IPv6 implementation. I've yet to try configuring it, but I'd love to hear from anyone who tries it. Also, Mac OS X has support for PPTP connections from the Internet Connection app. Jon. > On Monday, September 23, 2002, at 03:30 AM, Johan Andersson wrote: > >> >> Hi, >> >> I wonder if there is any one out there that now if there is a >> vendor for >> IPsec >> clients for Macintosh! If so what's the name and the vendors name. >> I don't >> want a client >> from Fx. Cisco and CheckPoint - -- Jon Still E-mail: jon-pop at tertial.org tertial.org Web: http://www.tertial.org/ GPG Key: http://xanthein.net/key.asc Key ID: 0x00493D2B - -- Jon Still E-mail: jon at tertial.org tertial.org Web: http://www.tertial.org/ GPG Key: http://xanthein.net/key.asc Key ID: 0x00493D2B _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBPaMvrl29UUeDBSyeEQIEdQCfcWRN93IEQZOhd7SE0nG71P7ZFPUAnA4A j3ba17shmF0wRanpQRIRiNg4 =2yDl -----END PGP SIGNATURE----- From Travis.Watson at Honeywell.com Thu Oct 10 00:04:59 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Wed, 9 Oct 2002 21:04:59 -0700 Subject: [VPN] netscreen and ckpt ng Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, I am lost, lost, lost trying to get a smiple b2b setup between a checkpoint cluster and a Netscreen 5xp. Should be as simple as anything, and I control both ends, so I can see logs. Basically I can't get past phase 1. The consistent error message on checkpoint is "no subnet support in ike negotiations." I've tried every encryption setting possible--pfs, no pfs, aggressive, main, compression, no compression, etc. What in *the hell* could I be missing? It has to be obvious, but I've been starting at this thing for hours and can't figure it out. One thing I noticed (and it may be nothing or everything, but the cli says "currently not supported") is that I can't put the remote gateway in a VPN group by trying to assign it in the Auto-key settings. I assign it, hit OK, and get no error messages, but, like I said, the cli basically says "can't do that, sorry." Any help would be greatly appreciated. I'm frustrated like Django Rhinehart trying to get the last pickle out of the jar and I'm out of ideas. Thanks, Travis -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBPaT8qV29UUeDBSyeEQJS6ACgsEDvuw86zVOrtI4+LRUv2WLSRqQAnR0V 4Yv0i0joxmxPu2BvnHGLKdSB =N02b -----END PGP SIGNATURE----- From lisa at corecom.com Thu Oct 10 10:04:05 2002 From: lisa at corecom.com (Lisa Phifer) Date: Thu, 10 Oct 2002 10:04:05 -0400 Subject: [VPN] VPN using Netscreen 5xp In-Reply-To: Message-ID: <4.2.0.58.20021010093423.02ec8698@vws0101.fast.net> At 12:15 PM 10/8/2002 -0700, wrote: >If the other device has a dynamic IP, you may well have to pony up the >cash to get a routable static or make periodic edits. Certs are the only >other way to make it work for certain No, a remote peer can have a dynamic IP and use preshared secrets if you identify that peer by FQDN or User-FQDN and use Agressive Mode. When using a pair of NS5XPs: 1) On the NS with the static IP, use the Gateway screen to configure the dynamic peer. Check "Dynamic IP Address", put the hostname of the dynamic peer in the "Peer ID" field, and check "Aggressive Mode". 2) On the NS with the dynamic IP, use the Gateway screen to configure the static peer. Check "Static IP Address" and "Aggressive Mode". Under "Local ID", enter the local hostname of the dynamic device. When using an NS5XP (static) and a VPN client (dynamic): 1) On the NS with the static IP, use the Gateway screen to configure a "Dialup User". Pick a User Group or specific User from the pulldown. Check "Aggressive Mode." From the Users screen, create an entry for each VPN client: under "IKE Identity", enter the email address that the dynamically-addressed client will use to identify itself. 2) On the VPN client with the dynamic IP, under "Remote Party Identity and Addresses", check "Connect Using", select IP Address, and enter the IP address of the static peer. Under "Security Policy", check Aggressive Mode. Under "My Identity", enter the client's email address. Both configs use preshared secrets for authentication. (Note: these are NOT manual keys.) You ~can~ use certificates instead of preshared secrets in either config for stronger authentication, but you certainly do not have to. In either case, IKE can only be initiated by the side with the dynamic IP, and the static peer can only be the responder. Regards, Lisa ========================================================= Lisa A. Phifer lisa at corecom.com Core Competence http://www.corecom.com ========================================================= From volker.tanger at discon.de Thu Oct 10 10:31:22 2002 From: volker.tanger at discon.de (Volker Tanger) Date: Thu, 10 Oct 2002 16:31:22 +0200 Subject: [VPN] netscreen and ckpt ng References: Message-ID: <3DA58F3A.9000301@discon.de> Greetings! Watson, Travis wrote: > > Basically I can't get past phase 1. The consistent error message on > checkpoint is "no subnet support in ike negotiations." I've tried > every encryption setting possible--pfs, no pfs, aggressive, main, > compression, no compression, etc. > > What in *the hell* could I be missing? It has to be obvious, but > I've been starting at this thing for hours and can't figure it out. On the CheckPoint you enabled "Support key axchange for subnets" for both, the CKP and NetScreen object? That setting is a bit hidden when editing the object: VPN / IKE -> Edit / Advanced / low left corner The setting used to be on the IKE -> Edit properties page in the V.41 client. Yepp, took myself a bit searching some time ago, too. Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstra?e 100 D-10997 Berlin fon +49 30 6104-3307 fax +49 30 6104-3461 volker.tanger at discon.de http://www.discon.de/ From osmond at holburn.com Thu Oct 10 10:40:16 2002 From: osmond at holburn.com (osmond at holburn.com) Date: Thu, 10 Oct 2002 10:40:16 -0400 Subject: [VPN] Netscreen 5 Problems - P2 Proxy ID Message-ID: Thanks for all the help people suggested, I've changed clients to a Netscreen 7 client to try and connect to my Netscreen 5xp. Now I can get past phase 1, but not 2. I've run the debug on the netscreen and come up with this: (IP address have been replaced with fictional addresses) Anyone have any ideas why this isn't working? ##2002-10-10 09:36:19 system-debugging: *done(52b14476) ##2002-10-10 09:36:19 system-debugging: IKE <168.64.2.28> Phase 2 msg-id <52b14476>: Responded to the first peer message. ##2002-10-10 09:36:19 system-debugging: Resonder not set commit bit on 2nd QM. ##2002-10-10 09:36:19 system-debugging: Decrypting payload (length 264) ##2002-10-10 09:36:19 system-debugging: validate(264): 8/24 1/76 10/100 4/232 5/244 5/260 ##2002-10-10 09:36:19 system-debugging: Receiving <-- ##2002-10-10 09:36:19 system-debugging: Payload: Hash Security_Assoc Nonce Key_Exchange Identification Identification ##2002-10-10 09:36:19 system-debugging: extract(264): ##2002-10-10 09:36:19 system-debugging: Error: No phase 2 proxy id from peer 168.64.2.28, message_id<52b14476>. ##2002-10-10 09:36:19 system-debugging: oakley_process_quick_mode():exit ##2002-10-10 09:36:19 system-debugging: IKE <168.64.2.28> Phase 2 msg-id <52b14476>: Negotiations have failed. ##2002-10-10 09:36:19 system-debugging: Delete conn entry... ##2002-10-10 09:36:19 system-debugging: found(52b14476) From schwenke-vpn-list at orakel.ntnu.no Thu Oct 10 15:27:54 2002 From: schwenke-vpn-list at orakel.ntnu.no (Eirik Schwenke) Date: Thu, 10 Oct 2002 21:27:54 +0200 (CEST) Subject: [VPN] ciscovpn client for linux + wlan-cards Message-ID: [This mail was delayed almost two weeks -- first rejected because i mime-included the patch, and then i sent it to the wrong address :-P I have not been able to test this with the new 3.6.2-client yet, but I re-post this anyway, in case others have experienced similar problems. ] After a few hours of trying to install the cisco vpn client (3.6.1) on a linux laptop system, and getting it to work over ethernet, but not wireless lan -- We found that the cisco-client has a check, refusing to use ipsec over any interface not named ppp[anything] or eth[anything] The offending code is in interceptor.c, in two places: /* Don't handle non-eth non-ppp devices */ if(strncmp(dp->name,"eth",3) && strncmp(dp->name,"ppp",3)) { and /* Don't handle non-eth non-ppp packets */ if(strncmp("eth",dev->name,3) && strncmp("ppp",dev->name,3)) { Since many wlan-cards register them selves as wlan0-9, this does not work with some drivers. Expanding the check to include wlan?-interfaces solved the problem. As my company does not have a support-contract with cisco, I post this to the list, rather than to the vendor -- hoping a support-person at cisco will read it, and inform developers. See attached patch against the 3.6.1-client (or just fix the two lines manually). I would like to thank the two users that helped me identify the problem, and provide the fix. Saved me from reading up on c strncmp-calls, as I am no c-programmer ;-) To use the patch, fist extract the standard 3.6.1-klient, apply patch and install/compile normally: tar xzf vpnclient-linux-3.6.1.Rel-k9.tar.gz cd vpnclient cat ../vpnclient-linux-3.6.1.Rel-k9-wlan-patch.diff | patch -p1 ./vpn_install Please note: This particular patch has not been tested -- the original quick-fix replaced the ppp-check. But at least it compiles without errors (tested with build_driver.sh). (My original posting was rejected, as I included the patch in mime-format -- hopefully this will go through). --The patch: cut, and save --- diff -ruN vpnclient-linux-3.6.1.Rel-k9/interceptor.c vpnclient-linux-3.6.1.Rel-k 9-wlan-patch/interceptor.c --- vpnclient-linux-3.6.1.Rel-k9/interceptor.c Tue Sep 3 21:12:16 2002 +++ vpnclient-linux-3.6.1.Rel-k9-wlan-patch/interceptor.c Sun Sep 29 21:41 :00 2002 @@ -325,7 +325,7 @@ } /* Don't handle non-eth non-ppp devices */ - if(strncmp(dp->name,"eth",3) && strncmp(dp->name,"ppp",3)) { + if(strncmp(dp->name,"eth",3) && strncmp(dp->name,"ppp",3) && strncmp(dp ->name, "wlan", 4)) { continue; } if (num_target_devices >= MAX_DEVICES) { @@ -458,7 +458,7 @@ } /* Don't handle non-eth non-ppp packets */ - if(strncmp("eth",dev->name,3) && strncmp("ppp",dev->name,3)) { + if(strncmp("eth",dev->name,3) && strncmp("ppp",dev->name,3) && strncmp("wla n",dev->name,4)) { rc2 = original_ip_handler.orig_handler_func(skb, dev, type); goto exit_gracefully; } --- cut --- -- Eirik Schwenke "Eat right, exercise regularly, die anyway." From james at heague.com.au Thu Oct 10 21:35:41 2002 From: james at heague.com.au (James McNeill) Date: Fri, 11 Oct 2002 11:35:41 +1000 Subject: [VPN] smoothwall Message-ID: <3DA62AED.20902@heague.com.au> Hi all. I've just been playing round with Smoothwall GPL 2.0. As much as it makes a great cheep firewall, I was wondering if anyone might have had any luck using it for a VPN. It does have some VPN support, but the impression I got was that the comercial (non-gpl) versions were more geered toward that. Idealy I'd like to use this as a VPN terminator for a small subnet. Any thoughts would be helpfull. TIA, -James From brian at shmoo.com Fri Oct 11 14:22:03 2002 From: brian at shmoo.com (Brian Wotring) Date: Fri, 11 Oct 2002 12:22:03 -0600 Subject: [VPN] ciscovpn client for linux + wlan-cards In-Reply-To: Message-ID: <5762BD84-DD46-11D6-BB84-00039300E4C2@shmoo.com> The Cisco development team is aware of this issue. On Thursday, October 10, 2002, at 01:27 PM, Eirik Schwenke wrote: > [This mail was delayed almost two weeks -- first rejected because i > mime-included the patch, and then i sent it to the wrong address :-P > I have not been able to test this with the new 3.6.2-client yet, > but I re-post this anyway, in case others have experienced similar > problems. ] > > After a few hours of trying to install the cisco vpn > client (3.6.1) on a linux laptop system, and getting it to work over > ethernet, but not wireless lan -- We found that the cisco-client has > a check, refusing to use ipsec over any interface not named > ppp[anything] or eth[anything] > > The offending code is in interceptor.c, in two places: > > /* Don't handle non-eth non-ppp devices */ > if(strncmp(dp->name,"eth",3) && strncmp(dp->name,"ppp",3)) { > > and > > /* Don't handle non-eth non-ppp packets */ > if(strncmp("eth",dev->name,3) && strncmp("ppp",dev->name,3)) { > > Since many wlan-cards register them selves as wlan0-9, this > does not work with some drivers. Expanding the check to include > wlan?-interfaces solved the problem. > > As my company does not have a support-contract with cisco, I > post this to the list, rather than to the vendor -- hoping a > support-person at cisco will read it, and inform developers. > > See attached patch against the 3.6.1-client (or just fix the > two lines manually). > > I would like to thank the two users that helped me identify > the problem, and provide the fix. Saved me from reading up > on c strncmp-calls, as I am no c-programmer ;-) > > To use the patch, fist extract the standard 3.6.1-klient, > apply patch and install/compile normally: > > tar xzf vpnclient-linux-3.6.1.Rel-k9.tar.gz > cd vpnclient > cat ../vpnclient-linux-3.6.1.Rel-k9-wlan-patch.diff | patch -p1 > ./vpn_install > > Please note: This particular patch has not been tested -- the > original quick-fix replaced the ppp-check. But at least it > compiles without errors (tested with build_driver.sh). > > (My original posting was rejected, as I included the patch in > mime-format -- hopefully this will go through). > > --The patch: cut, and save --- > diff -ruN vpnclient-linux-3.6.1.Rel-k9/interceptor.c > vpnclient-linux-3.6.1.Rel-k > 9-wlan-patch/interceptor.c > --- vpnclient-linux-3.6.1.Rel-k9/interceptor.c Tue Sep 3 21:12:16 > 2002 > +++ vpnclient-linux-3.6.1.Rel-k9-wlan-patch/interceptor.c Sun Sep > 29 21:41 > :00 2002 > @@ -325,7 +325,7 @@ > } > > /* Don't handle non-eth non-ppp devices */ > - if(strncmp(dp->name,"eth",3) && strncmp(dp->name,"ppp",3)) { > + if(strncmp(dp->name,"eth",3) && strncmp(dp->name,"ppp",3) && > strncmp(dp > ->name, "wlan", 4)) { > continue; > } > if (num_target_devices >= MAX_DEVICES) { > @@ -458,7 +458,7 @@ > } > > /* Don't handle non-eth non-ppp packets */ > - if(strncmp("eth",dev->name,3) && strncmp("ppp",dev->name,3)) { > + if(strncmp("eth",dev->name,3) && strncmp("ppp",dev->name,3) && > strncmp("wla > n",dev->name,4)) { > rc2 = original_ip_handler.orig_handler_func(skb, dev, type); > goto exit_gracefully; > } > --- cut --- > > -- > Eirik Schwenke > > "Eat right, exercise regularly, die anyway." > > > > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > -- Brian Wotring ( brian at shmoo.com ) PGP KeyID: 0x9674763D From TomM at spectrum-systems.com Fri Oct 11 14:49:30 2002 From: TomM at spectrum-systems.com (Tom McHugh) Date: Fri, 11 Oct 2002 14:49:30 -0400 Subject: [VPN] smoothwall Message-ID: <2A0DB5123A51874C82699788F0985ED2064E98@sith.spectrum-systems.com> I was able to get it to be a VPN termination point with a NetScreen-10 (running firmware verion 3.0.1) on the other end. Alas, I had a dynamic-IP dial-up. Whenever I dialed up and wanted to use the VPN, I had to SSH into the other end and change the IP in the NetScreen's config. Once that was done, though, I got pretty good performance for a dial-up. Tom McHugh, Senior Systems Engineer mailto:tomm at spectrum-systems.com Spectrum Systems, Inc. "Today's Technology--Solutions for Tomorrow" 11320 Random Hills Road, Suite 630 Fairfax, VA 22030-6001 703-591-7400 x218 703-591-9780 (Fax) http://www.spectrum-systems.com/ Stop struggling with your network! You can save yourself the headache of total network management and save money at the same time by using the help and expertise of experienced professionals. Call us at 800-929-3781 or visit us at http://www.spectrum-systems.com to learn more. > -----Original Message----- > From: James McNeill [mailto:james at heague.com.au] > Sent: Thursday, October 10, 2002 9:36 PM > To: vpn at lists.shmoo.com > Subject: [VPN] smoothwall > > > > Hi all. > I've just been playing round with Smoothwall GPL 2.0. As much as it > makes a great cheep firewall, I was wondering if anyone might > have had > any luck using it for a VPN. It does have some VPN support, but the > impression I got was that the comercial (non-gpl) versions were more > geered toward that. > Idealy I'd like to use this as a VPN terminator for a small > subnet. Any > thoughts would be helpfull. > TIA, > -James > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From TomM at spectrum-systems.com Fri Oct 11 14:55:20 2002 From: TomM at spectrum-systems.com (Tom McHugh) Date: Fri, 11 Oct 2002 14:55:20 -0400 Subject: [VPN] Netscreen 5 Problems - P2 Proxy ID Message-ID: <2A0DB5123A51874C82699788F0985ED2064E99@sith.spectrum-systems.com> Debug info from the NetScreen-5 would help, too. You can get it and save it to a file from the WebUI: Log -> Event or from the CLI: 'get log event' (and then cut&paste) Without that, though, you might want to check that your policy on the NS-5 matches precisely with your NetScreen-Remote config. If you have allowed access to the whole subnet on one side, but only a single IP on the other, the VPN will fail at about the point your NetScreen-Remote did. Tom McHugh, Senior Systems Engineer mailto:tomm at spectrum-systems.com Spectrum Systems, Inc. "Today's Technology--Solutions for Tomorrow" 11320 Random Hills Road, Suite 630 Fairfax, VA 22030-6001 703-591-7400 x218 703-591-9780 (Fax) http://www.spectrum-systems.com/ Stop struggling with your network! You can save yourself the headache of total network management and save money at the same time by using the help and expertise of experienced professionals. Call us at 800-929-3781 or visit us at http://www.spectrum-systems.com to learn more. > -----Original Message----- > From: osmond at holburn.com [mailto:osmond at holburn.com] > Sent: Thursday, October 10, 2002 10:40 AM > To: vpn at lists.shmoo.com > Subject: [VPN] Netscreen 5 Problems - P2 Proxy ID > > > Thanks for all the help people suggested, I've changed clients to a > Netscreen 7 client to try and connect to my Netscreen 5xp. > > Now I can get past phase 1, but not 2. I've run the debug on > the netscreen > and come up with this: > > (IP address have been replaced with fictional addresses) > > Anyone have any ideas why this isn't working? > > ##2002-10-10 09:36:19 system-debugging: *done(52b14476) > ##2002-10-10 09:36:19 system-debugging: IKE <168.64.2.28> > Phase 2 msg-id > <52b14476>: Responded to the first peer message. > ##2002-10-10 09:36:19 system-debugging: Resonder not set > commit bit on 2nd > QM. > ##2002-10-10 09:36:19 system-debugging: Decrypting payload > (length 264) > ##2002-10-10 09:36:19 system-debugging: validate(264): 8/24 > 1/76 10/100 > 4/232 5/244 5/260 > ##2002-10-10 09:36:19 system-debugging: Receiving <-- > ##2002-10-10 09:36:19 system-debugging: Payload: Hash > Security_Assoc Nonce > Key_Exchange Identification Identification > ##2002-10-10 09:36:19 system-debugging: extract(264): > ##2002-10-10 09:36:19 system-debugging: Error: No phase 2 > proxy id from peer > 168.64.2.28, message_id<52b14476>. > ##2002-10-10 09:36:19 system-debugging: > oakley_process_quick_mode():exit > ##2002-10-10 09:36:19 system-debugging: IKE <168.64.2.28> > Phase 2 msg-id > <52b14476>: Negotiations have failed. > ##2002-10-10 09:36:19 system-debugging: Delete conn entry... > ##2002-10-10 09:36:19 system-debugging: found(52b14476) > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From jon-pop at tertial.org Fri Oct 11 16:59:57 2002 From: jon-pop at tertial.org (Jon Still) Date: Fri, 11 Oct 2002 21:59:57 +0100 Subject: [VPN] IPsec Client for Macintosh In-Reply-To: Message-ID: <65F69C1D-DD5C-11D6-8631-0003936303F2@tertial.org> OS X 10.2 comes with Racoon as well and should work straight out the box without a recompile. And if you can't stomach the command line, there are 3rd party GUIs for setting up the SAs and pre-shared keys. VPN Tracker is one - http://www.equinux.com/ Cheers, Jon. On Tuesday, Oct 8, 2002, at 20:18 Europe/London, Watson, Travis wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Yeah, I hadn't thought of that. They should have racoon as well, > yes? Do you think the kernel would have to be recompiled or is it > already in the kernel? > > - --Travis -- Jon Still E-mail: jon at tertial.org tertial.org Web: http://www.tertial.org/ GPG Key: http://xanthein.net/key.asc Key ID: 0x00493D2B From surindersaini at glidemail.com Sat Oct 12 04:49:38 2002 From: surindersaini at glidemail.com (surindersaini at glidemail.com) Date: Sat, 12 Oct 2002 8:49:38 GMT Subject: [VPN] Data Tranfer Message-ID: <200210120849.g9C8ncW12870@www.glidemail.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20021012/78d16937/attachment.txt From Travis.Watson at Honeywell.com Sun Oct 13 15:41:46 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Sun, 13 Oct 2002 12:41:46 -0700 Subject: [VPN] IPsec Client for Macintosh Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Too cool, Jon. I'm going to have to get an iBook. I use FreeBSD quite a bit--including it's kame and racoon fuctions a couple times--but didn't think about it being in OS X. The command line banging is a touch more complex than FreeS/WAN, in my opinion, but more complicated in a good way. (And it's hard to be less complicated than FreeS/WAN anyway). I don't want to start a flame war, but the storage of files and the way it uses shared text keys just seems a bit more secure with the *BSD implementations--restrictive permissions on the files or not. My only gripe with kame and raccoon is that it seems to always want to work with AES. It may well just be my limited experience, but it doesn't seem to like to use 3DES--which presents problems with a lot of devices out there. I would rather use AES anyway, but if the other side doesn't have it available, it presents problems. Anyway, thanks for the info. Cheers, Travis - -----Original Message----- From: Jon Still [mailto:jon-pop at tertial.org] Sent: Friday, October 11, 2002 2:00 PM To: Watson, Travis Cc: 'vpn at lists.shmoo.com' Subject: Re: [VPN] IPsec Client for Macintosh OS X 10.2 comes with Racoon as well and should work straight out the box without a recompile. And if you can't stomach the command line, there are 3rd party GUIs for setting up the SAs and pre-shared keys. VPN Tracker is one - http://www.equinux.com/ Cheers, Jon. On Tuesday, Oct 8, 2002, at 20:18 Europe/London, Watson, Travis wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Yeah, I hadn't thought of that. They should have racoon as well, > yes? Do you think the kernel would have to be recompiled or is it > already in the kernel? > > - --Travis - -- Jon Still E-mail: jon at tertial.org tertial.org Web: http://www.tertial.org/ GPG Key: http://xanthein.net/key.asc Key ID: 0x00493D2B -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBPanMrV29UUeDBSyeEQJviQCgp36nyLgLph0P6/48mRBsBSbLEdIAn3lr UBuTPjT5oH5Z0bgGmK94TYyu =KLqt -----END PGP SIGNATURE----- From yararat at go-documenta.com Mon Oct 14 04:30:59 2002 From: yararat at go-documenta.com (yararat) Date: Mon, 14 Oct 2002 10:30:59 +0200 Subject: [VPN] Network spliting and VPN Message-ID: <000001c2735c$0a52cfe0$7601010a@ts.com> have a minor question. Does any one know of one component that splits the network into two segments and divides them like they had firewall between them and also supports VPN tunneling from separate clients? Also is it by any chance able to make the network look to these users like a regular LAN? Regards Yuval Ararat Documenta LLC. e-Mail: yararat at go-documenta.com From vpn at twlight.net Mon Oct 14 12:08:56 2002 From: vpn at twlight.net (Jerry Kemp) Date: Mon, 14 Oct 2002 11:08:56 -0500 Subject: [VPN] Cisco IPSec VPN client through NAT/PAT In-Reply-To: Message-ID: <3DBE5CFE-DF8F-11D6-B9F9-003065BDE51C@twlight.net> I picked up a Cisco PIX 501 to play with as a learning tool for VPN stuff. Currently, I have it up and operational using the Cisco 3.6.x easyVPN client using public ip (client ip) to Cisco PIX (public ip). The PIX is running 6.2(2). Also, I do not have the 3des license, only des. When the Cisco VPN client is coming from behind a NAT/PAT source, I can connect to the PIX (still public ip), but no traffic ever makes it back to me. I have determined this via the stats in the VPN client. Can anyone point me to URL where I can RTFM on Cisco PIX VPN's and NAT/PAT? I have spent more time than I care to admin on CCO searching for something like this. Thanks, Jerry From ken at bsrequipment.com Fri Oct 18 09:24:18 2002 From: ken at bsrequipment.com (Ken) Date: Fri, 18 Oct 2002 07:24:18 -0600 Subject: [VPN] VPN QUESTIONS Message-ID: Hi Tina, I ran across your web site via Google and it's very good site for VPN. I have a quick question, hopefully, about VPN and mapping drives. Once you get a Tunnel created and connected, how do you map a drive? I was assuming it was just like a normal network. Any help would be greatly appreciated. I'm new to VPN but not networking. Sincerely, Ken ken at bsrequipment.com From dgoldsmith at sans.org Tue Oct 15 11:34:20 2002 From: dgoldsmith at sans.org (David Goldsmith) Date: Tue, 15 Oct 2002 11:34:20 -0400 Subject: [VPN] Cisco VPN 3030 Concentrators (NR versus RED) Message-ID: <20021015113420.2d8cf4d7.dgoldsmith@sans.org> When you buy CVPN3030-BUN-NR, you are buying 1 3030 concentrator and 1 software license. When you buy CVPN3030-BUN-RED, what exactly are you buying? The pricing info I have received leads me to believe that the NR part is a single concentrator meant to be used as a solo gateway and the RED part is 2 concentrators meant to be used as a high-availabilty cluster in one location. Is this correct or is there another answer? What exactly is the difference between the non-redundant (NR) and redundant (RED) part numbers? Thanks, Dave Goldsmith From dmcneese at lanl.gov Tue Oct 15 18:09:54 2002 From: dmcneese at lanl.gov (David McNeese) Date: Tue, 15 Oct 2002 16:09:54 -0600 Subject: [VPN] Wireless Question Message-ID: <02b001c27497$972d3040$3d72a580@win.lanl.gov> I sent this out earlier, and I forgot to mention we are trying to get it to work with Windows clients. Sorry for any confusion. I recently saw an EMAIL from Eirik Schwenke discussing the Cisco 3.6.1 client and wireless in LINUX indicating he got it to work by modifying the code to look at wlan? as part of the examination of the interfaces. We can't get the cisco clients (3.6.1 or 3.6.2) to work via wireless connections. Is it supported? Can this be done? Is there an "oddball" fix like Eirik discovered for LINUX? Thanks for any assistance. ************************************************************* "Cheer up, things could be worse. So I cheered up and sure enough, things got worse." David McNeese -- CCNA, MCSE CCN-5 Network Services Team MS B255 505-667-5226 (voice) dmcneese at lanl.gov From lists at tarundua.net Wed Oct 16 13:07:32 2002 From: lists at tarundua.net (Tarun Dua) Date: Wed, 16 Oct 2002 22:37:32 +0530 Subject: [VPN] Data Tranfer References: <200210120849.g9C8ncW12870@www.glidemail.com> Message-ID: <0ff001c27536$879778d0$0f0a0a0a@pugmarks34team> Hi, I assume you require a Secure Data Transfer over a VPN that's why you are asking your question here. There a number of solutions possible. Setup a VPN tunnel using firewall's is one of them. More questions ?? Regards Tarun Dua http://www.tarundua.net All you wanted to know about Tarun Dua but didn't know whom to ask ----- Original Message ----- From: To: Sent: Saturday, October 12, 2002 2:19 PM Subject: [VPN] Data Tranfer > > Sir, > > we have two office located at a distance of 300 Kms. We have to transfer data of about 30 MB even more daily to each location, what will be ideal solution. > > > regards > > Surinder > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From losttoy2000 at yahoo.co.uk Thu Oct 17 08:36:31 2002 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Thu, 17 Oct 2002 13:36:31 +0100 (BST) Subject: [VPN] Restricting VPN 3000 user to specific servers Message-ID: <20021017123631.43809.qmail@web12702.mail.yahoo.com> Hi, I have configured a Cisco VPN 3000 concentrator behind a PIX Firewall for remote users. I need to restrict users who land on the concentrator to specific servers on my LAN. The Concentrator and the servers are in the same LAN behind the firewall. So basically, can I put some access control on the concentrator to restrict access of users to specific IP addresses/ports within the network? Regards, Siddhartha __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com From brian at shmoo.com Sat Oct 19 10:32:55 2002 From: brian at shmoo.com (Brian Wotring) Date: Sat, 19 Oct 2002 08:32:55 -0600 Subject: [VPN] Cisco IPSec VPN client through NAT/PAT In-Reply-To: <3DBE5CFE-DF8F-11D6-B9F9-003065BDE51C@twlight.net> Message-ID: Have you looked at this yet: On Monday, October 14, 2002, at 10:08 AM, Jerry Kemp wrote: > I picked up a Cisco PIX 501 to play with as a learning tool for VPN > stuff. Currently, I have it up and operational using the Cisco 3.6.x > easyVPN client using public ip (client ip) to Cisco PIX (public ip). > The PIX is running 6.2(2). Also, I do not have the 3des license, only > des. > > When the Cisco VPN client is coming from behind a NAT/PAT source, I > can connect to the PIX (still public ip), but no traffic ever makes it > back to me. I have determined this via the stats in the VPN client. > > Can anyone point me to URL where I can RTFM on Cisco PIX VPN's and > NAT/PAT? I have spent more time than I care to admin on CCO searching > for something like this. > > Thanks, > > Jerry > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > -- Brian Wotring ( brian at shmoo.com ) PGP KeyID: 0x9674763D From brian at shmoo.com Sat Oct 19 10:40:16 2002 From: brian at shmoo.com (Brian Wotring) Date: Sat, 19 Oct 2002 08:40:16 -0600 Subject: [VPN] Wireless Question In-Reply-To: <02b001c27497$972d3040$3d72a580@win.lanl.gov> Message-ID: The 3.6.1 client will not work with wireless, you must use the latest 3.6 release (3.6.2a). What is the interface name for your wireless card? If it is in the wlanX form, the latest client will not work. Your best bet is to modify the driver source as mentioned earlier on this list. On Tuesday, October 15, 2002, at 04:09 PM, David McNeese wrote: > I sent this out earlier, and I forgot to mention we are trying to get > it to > work with Windows clients. > > Sorry for any confusion. > > > I recently saw an EMAIL from Eirik Schwenke discussing the Cisco 3.6.1 > client and wireless in LINUX indicating he got it to work by modifying > the > code to look at wlan? as part of the examination of the interfaces. > > We can't get the cisco clients (3.6.1 or 3.6.2) to work via wireless > connections. Is it supported? Can this be done? Is there an > "oddball" fix > like Eirik discovered for LINUX? > > Thanks for any assistance. > > > ************************************************************* > "Cheer up, things could be worse. So > I cheered up and sure enough, things got worse." > > David McNeese -- CCNA, MCSE > CCN-5 Network Services Team > MS B255 > 505-667-5226 (voice) > dmcneese at lanl.gov > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > -- Brian Wotring ( brian at shmoo.com ) PGP KeyID: 0x9674763D From Joel.Snyder at Opus1.COM Sat Oct 19 11:07:56 2002 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Sat, 19 Oct 2002 08:07:56 -0700 Subject: [VPN] Restricting VPN 3000 user to specific servers References: <20021017123631.43809.qmail@web12702.mail.yahoo.com> Message-ID: <3DB1754C.D933F62E@opus1.com> Yes. Put them in separate groups, and use the group lock function. Then, lock down the group within RADIUS. jms Siddhartha Jain wrote: > > Hi, > > I have configured a Cisco VPN 3000 concentrator behind > a PIX Firewall for remote users. I need to restrict > users who land on the concentrator to specific servers > on my LAN. The Concentrator and the servers are in the > same LAN behind the firewall. So basically, can I put > some access control on the concentrator to restrict > access of users to specific IP addresses/ports within > the network? > > Regards, > > Siddhartha > > __________________________________________________ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2082 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.shmoo.com/pipermail/vpn/attachments/20021019/90f35631/attachment.bin From Joel.Snyder at Opus1.COM Sat Oct 19 11:15:54 2002 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Sat, 19 Oct 2002 08:15:54 -0700 Subject: [VPN] Cisco IPSec VPN client through NAT/PAT References: <3DBE5CFE-DF8F-11D6-B9F9-003065BDE51C@twlight.net> Message-ID: <3DB1772B.6B1E27FB@opus1.com> The short answer is, "don't do that." Although the PIX has capabilities for remote access VPN, it's such an awful solution that learning about it is kind of like learning about token ring for your CCIE: yeah, you can do it, but you really wouldn't. It wouldn't surprise me if there is no NAT traversal capability in the PIX, or if it only worked for NAT and not NAPT. Cisco has a MUCH BETTER solution in the 3000 series for remote access. It also has site-to-site capabilities, but those also fall into the category of "don't do that." Cisco sort of does a disservice to the world by not making it abundantly clear that the PIX + IOS are good at site-to-site and the 3000 is good at remote access, but pushing either into the territory of the other is a bad idea. Speaking of which: you may want to read Network World on October 28th (a week from Monday), when a long and extensive review of VPN remote access solutions will be published, including some head-to-head comparison of Cisco 3000, Check Point, NetScreen, SonicWall, Avaya, Cylink, Imperito, ActiveLane, and Secure Computing. jms Jerry Kemp wrote: > > I picked up a Cisco PIX 501 to play with as a learning tool for VPN > stuff. Currently, I have it up and operational using the Cisco 3.6.x > easyVPN client using public ip (client ip) to Cisco PIX (public ip). > The PIX is running 6.2(2). Also, I do not have the 3des license, only > des. > > When the Cisco VPN client is coming from behind a NAT/PAT source, I can > connect to the PIX (still public ip), but no traffic ever makes it back > to me. I have determined this via the stats in the VPN client. > > Can anyone point me to URL where I can RTFM on Cisco PIX VPN's and > NAT/PAT? I have spent more time than I care to admin on CCO searching > for something like this. > > Thanks, > > Jerry > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2082 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.shmoo.com/pipermail/vpn/attachments/20021019/cad298fd/attachment.bin From nirving at exaol.com Sat Oct 19 12:36:13 2002 From: nirving at exaol.com (Nicholas Irving) Date: Sat, 19 Oct 2002 17:36:13 +0100 Subject: [VPN] Fw: Pix 515R - VPN not working Message-ID: <002701c2778d$a3a68ad0$ec00a8c0@dzo.com> Hi all, I have been trying to figure out why I am getting this when I try to connect via a 3.6 vpn client to my Pix 515R (6.0). ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 I am not sure why I am getting "ISAKMP: encryption... What? 7?" and I am thinking that this causing my problems connecting to the VPN. Is this a config issue? I can supply my config upon request. Nicholas Irving nirving at casinoreality.com From shannong at texas.net Sat Oct 19 12:40:55 2002 From: shannong at texas.net (shannong) Date: Sat, 19 Oct 2002 11:40:55 -0500 Subject: [VPN] Cisco IPSec VPN client through NAT/PAT In-Reply-To: Message-ID: <007601c2778e$4bd77cf0$0101a8c0@asteroid> I have looked there before, and there is no cure as far as I know. The fix is to use IPSec over UDP or TCP, but the Pix does not yet have these features. You'll have to use a VPN concentrator to use those features. I'm very dissappointed in cisco for not providing this capability on the pix. The Pix "supports" the Unity 3.x client but only in a very limited fashion with little functionality. -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of Brian Wotring Sent: Saturday, October 19, 2002 9:33 AM To: Jerry Kemp Cc: vpn at lists.shmoo.com Subject: Re: [VPN] Cisco IPSec VPN client through NAT/PAT Have you looked at this yet: On Monday, October 14, 2002, at 10:08 AM, Jerry Kemp wrote: > I picked up a Cisco PIX 501 to play with as a learning tool for VPN > stuff. Currently, I have it up and operational using the Cisco 3.6.x > easyVPN client using public ip (client ip) to Cisco PIX (public ip). > The PIX is running 6.2(2). Also, I do not have the 3des license, only > des. > > When the Cisco VPN client is coming from behind a NAT/PAT source, I > can connect to the PIX (still public ip), but no traffic ever makes it > back to me. I have determined this via the stats in the VPN client. > > Can anyone point me to URL where I can RTFM on Cisco PIX VPN's and > NAT/PAT? I have spent more time than I care to admin on CCO searching > for something like this. > > Thanks, > > Jerry > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn > > -- Brian Wotring ( brian at shmoo.com ) PGP KeyID: 0x9674763D _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From pete at ether.net Sat Oct 19 16:03:51 2002 From: pete at ether.net (Pete Davis) Date: Sat, 19 Oct 2002 16:03:51 -0400 Subject: [VPN] Cisco VPN 3030 Concentrators (NR versus RED) In-Reply-To: <20021015113420.2d8cf4d7.dgoldsmith@sans.org> References: <20021015113420.2d8cf4d7.dgoldsmith@sans.org> Message-ID: <20021019160351.A31407@ether.net> You buying a unit with 2 power supplies and 2 primary/2 redundant (4) SEP encryption modules. On Tue, Oct 15, 2002 at 11:34:20AM -0400, David Goldsmith wrote: > When you buy CVPN3030-BUN-NR, you are buying 1 3030 concentrator and 1 software license. > > When you buy CVPN3030-BUN-RED, what exactly are you buying? The pricing info I have received leads me to believe that the NR part is a single concentrator meant to be used as a solo gateway and the RED part is 2 concentrators meant to be used as a high-availabilty cluster in one location. > > Is this correct or is there another answer? What exactly is the difference between the non-redundant (NR) and redundant (RED) part numbers? From schwenke-vpn-list at orakel.ntnu.no Sat Oct 19 23:40:19 2002 From: schwenke-vpn-list at orakel.ntnu.no (Eirik Schwenke) Date: Sun, 20 Oct 2002 05:40:19 +0200 (CEST) Subject: [VPN] Wireless Question In-Reply-To: Message-ID: On Sat, 19 Oct 2002, Brian Wotring wrote: > The 3.6.1 client will not work with wireless, you must use the latest > 3.6 release (3.6.2a). What leads you to this conclusion ? I have used the 3.6.1 client with a laptop running debian and 802.11b (I don't have more detailed information on network-card manufacturer etc, but I can get them if there is an intrest). I would recommend using the latest version anyway -- I'm just curious. > What is the interface name for your wireless card? If it is in the > wlanX form, the latest client will not work. Your best bet is to > modify the driver source as mentioned earlier on this list. Specifically, if the interface is anything other than eth-something or ppp-something the client will refuse touching it. Look for the textstring in interceptor.c. Regards, -- Eirik Schwenke Ethernet (n): something used to catch the etherbunny From pete at ether.net Sun Oct 20 10:56:57 2002 From: pete at ether.net (Pete Davis) Date: Sun, 20 Oct 2002 10:56:57 -0400 Subject: [VPN] Wireless Question In-Reply-To: References: <02b001c27497$972d3040$3d72a580@win.lanl.gov> Message-ID: <20021020105657.A32271@ether.net> I think Brian is responding re: Linux and not Windows. I have used a Cisco Aironet wireless card with versions of the VPN client since 3.0. What type of Wireless card are you using, what version of the VPN Client and OS? Best Regards, -pete On Sat, Oct 19, 2002 at 08:40:16AM -0600, Brian Wotring wrote: > > The 3.6.1 client will not work with wireless, you must use the latest > 3.6 release (3.6.2a). > > What is the interface name for your wireless card? If it is in the > wlanX form, the latest client will not work. Your best bet is to > modify the driver source as mentioned earlier on this list. > > On Tuesday, October 15, 2002, at 04:09 PM, David McNeese wrote: > > > I sent this out earlier, and I forgot to mention we are trying to get > > it to > > work with Windows clients. > > > > Sorry for any confusion. > > > > > > I recently saw an EMAIL from Eirik Schwenke discussing the Cisco 3.6.1 > > client and wireless in LINUX indicating he got it to work by modifying > > the > > code to look at wlan? as part of the examination of the interfaces. > > > > We can't get the cisco clients (3.6.1 or 3.6.2) to work via wireless > > connections. Is it supported? Can this be done? Is there an > > "oddball" fix > > like Eirik discovered for LINUX? > > > > Thanks for any assistance. > > > > > > ************************************************************* > > "Cheer up, things could be worse. So > > I cheered up and sure enough, things got worse." > > > > David McNeese -- CCNA, MCSE > > CCN-5 Network Services Team > > MS B255 > > 505-667-5226 (voice) > > dmcneese at lanl.gov From shannong at texas.net Sun Oct 20 12:27:51 2002 From: shannong at texas.net (shannong) Date: Sun, 20 Oct 2002 11:27:51 -0500 Subject: [VPN] Restricting VPN 3000 user to specific servers Message-ID: <00b201c27855$a2d9a100$0101a8c0@asteroid> -----Original Message----- From: shannong [mailto:shannong at texas.net] Sent: Saturday, October 19, 2002 12:20 PM To: 'Siddhartha Jain' Subject: RE: [VPN] Restricting VPN 3000 user to specific servers You can create Filters on the concentrator by applying Rules to them. Rules are basically like access list entries. You apply the Rules to Filters. Then you apply the Filters to the Group in question. You'll probably have to create your own custom Rules to accomplish your access desired. The built in rules are for things like HTTP, ESP, etc. Remember that the Filters are written from the concentrator's point of view with respect to direction. Filters/Rules are defined at: Configuration-->Policy Management-->Traffic Management They are applied to Groups at: Configuration-->User Management-->Groups on the General tab. Additionaly, you can/should define split tunneling so that only desired networks are included in the tunnel traffic. -S -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of Siddhartha Jain Sent: Thursday, October 17, 2002 7:37 AM To: vpn at lists.shmoo.com Subject: [VPN] Restricting VPN 3000 user to specific servers Hi, I have configured a Cisco VPN 3000 concentrator behind a PIX Firewall for remote users. I need to restrict users who land on the concentrator to specific servers on my LAN. The Concentrator and the servers are in the same LAN behind the firewall. So basically, can I put some access control on the concentrator to restrict access of users to specific IP addresses/ports within the network? Regards, Siddhartha __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From djdawso at qwest.com Mon Oct 21 11:58:06 2002 From: djdawso at qwest.com (Dana J. Dawson) Date: Mon, 21 Oct 2002 10:58:06 -0500 Subject: [VPN] Restricting VPN 3000 user to specific servers References: <20021017123631.43809.qmail@web12702.mail.yahoo.com> <3DB1754C.D933F62E@opus1.com> Message-ID: <3DB4240E.6020800@qwest.com> You'll also need to create an access-list (they're called "filters" in the 3000) that allows access to the appropriate servers. You can then apply that filter to a particular group or individual users to restrict their access to those servers. It should just work. HTH Dana Joel M Snyder wrote: > Yes. Put them in separate groups, and use the group lock function. Then, > lock down the group within RADIUS. > > jms > > Siddhartha Jain wrote: > >>Hi, >> >>I have configured a Cisco VPN 3000 concentrator behind >>a PIX Firewall for remote users. I need to restrict >>users who land on the concentrator to specific servers >>on my LAN. The Concentrator and the servers are in the >>same LAN behind the firewall. So basically, can I put >>some access control on the concentrator to restrict >>access of users to specific IP addresses/ports within >>the network? >> >>Regards, >> >>Siddhartha >> >>__________________________________________________ >>Do You Yahoo!? >>Everything you'll ever need on one web page >>from News and Sport to Email and Music Charts >>http://uk.my.yahoo.com >>_______________________________________________ >>VPN mailing list >>VPN at lists.shmoo.com >>http://lists.shmoo.com/mailman/listinfo/vpn > > -- -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Communications (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." From jgeist at shaw.ca Tue Oct 22 14:48:15 2002 From: jgeist at shaw.ca (Jurgen Geist) Date: Tue, 22 Oct 2002 11:48:15 -0700 Subject: [VPN] FW: MODERATE for vpn@securityfocus.com (fwd) Message-ID: Please help with the Qs below if you can, thanks! jg -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Tuesday, October 22, 2002 11:24 AM To: jgeist at shaw.ca Subject: MODERATE for vpn at securityfocus.com (fwd) please send to vpn at lists.shmoo.com -- the securityfocus list has been decommissioned. "Wine is strong, the King is stronger, women are strongest, but TRUTH conquers all." ----- Inscription in the Rosslyn Chapel (near Edinburgh, Scotland) http://www.shmoo.com/~tbird Log Analysis http://www.counterpane.com/log-analysis.html VPN http://vpn.shmoo.com ---------- Forwarded message ---------- Date: 22 Oct 2002 17:03:41 -0000 From: "vpn-reject-1035306221.25166.aakbaihpmhfckojgmklp at securityfocus.com" Reply-To: "vpn-accept-1035306221.25166.aakbaihpmhfckojgmklp at securityfocus.com" To: Recipient list not shown: ; Cc: "vpn-allow-tc.1035306221.mjebdnhaoaobcdejbmej-jgeist=shaw.ca at securityfocus.c om" Subject: MODERATE for vpn at securityfocus.com The enclosed message was submitted to the vpn at securityfocus.com mailing list. If you'd like to approve it for distribution to all the subscribers, please e-mail: vpn-accept-1035306221.25166.aakbaihpmhfckojgmklp at securityfocus.com Usually, this happens when you just hit the "reply" button. You can check the address to make sure that it starts with "vpn-accept". If this does not work, simply copy the address and paste it into the "To:" field of a new message. To reject the post and cause it to be returned to the sender, please send a message to: vpn-reject-1035306221.25166.aakbaihpmhfckojgmklp at securityfocus.com Usually, it is easiest to hit the "reply-to-all" button, and then remove all the addresses except the one starting with "vpn-reject". You do not need to copy the post in your response to accept or reject it. If you wish to send a comment to the sender of a rejected post, please include it between two marker lines starting with three percent signs ('%'): %%% Start comment %%% End comment Thank you for your help! --- Enclosed, please find the posted message. -------------- next part -------------- An embedded message was scrubbed... From: unknown sender Subject: no subject Date: no date Size: 2187 Url: http://lists.shmoo.com/pipermail/vpn/attachments/20021022/b4ae38e9/attachment.eml From dhadwal_sandeepsingh at hotmail.com Wed Oct 23 13:23:18 2002 From: dhadwal_sandeepsingh at hotmail.com (Sandeep Dhadwal) Date: Wed, 23 Oct 2002 22:53:18 +0530 Subject: [VPN] Wireless Question Message-ID: Hi, I am using Netgear wireless products with that I am facing problem with cisco VPN client. I am using windows operating system. Please advice me what I need to do this issue. Regards, Sandeep >From: Pete Davis >To: Brian Wotring >CC: David McNeese , vpn at lists.shmoo.com >Subject: Re: [VPN] Wireless Question >Date: Sun, 20 Oct 2002 10:56:57 -0400 > >I think Brian is responding re: Linux and not Windows. I have used a Cisco >Aironet wireless card with versions of the VPN client since 3.0. > >What type of Wireless card are you using, what version of the VPN Client >and OS? > >Best Regards, >-pete > >On Sat, Oct 19, 2002 at 08:40:16AM -0600, Brian Wotring wrote: > > > > The 3.6.1 client will not work with wireless, you must use the latest > > 3.6 release (3.6.2a). > > > > What is the interface name for your wireless card? If it is in the > > wlanX form, the latest client will not work. Your best bet is to > > modify the driver source as mentioned earlier on this list. > > > > On Tuesday, October 15, 2002, at 04:09 PM, David McNeese wrote: > > > > > I sent this out earlier, and I forgot to mention we are trying to get > > > it to > > > work with Windows clients. > > > > > > Sorry for any confusion. > > > > > > > > > I recently saw an EMAIL from Eirik Schwenke discussing the Cisco 3.6.1 > > > client and wireless in LINUX indicating he got it to work by modifying > > > the > > > code to look at wlan? as part of the examination of the interfaces. > > > > > > We can't get the cisco clients (3.6.1 or 3.6.2) to work via wireless > > > connections. Is it supported? Can this be done? Is there an > > > "oddball" fix > > > like Eirik discovered for LINUX? > > > > > > Thanks for any assistance. > > > > > > > > > ************************************************************* > > > "Cheer up, things could be worse. So > > > I cheered up and sure enough, things got worse." > > > > > > David McNeese -- CCNA, MCSE > > > CCN-5 Network Services Team > > > MS B255 > > > 505-667-5226 (voice) > > > dmcneese at lanl.gov >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn _________________________________________________________________ Broadband??Dial-up? Get reliable MSN Internet Access. http://resourcecenter.msn.com/access/plans/default.asp From EFrancen at jasc.com Thu Oct 24 09:56:28 2002 From: EFrancen at jasc.com (Evan Francen) Date: Thu, 24 Oct 2002 08:56:28 -0500 Subject: [VPN] Cisco 3015 Log Message-ID: I have one user that's having problems connecting to our Cisco 3015 VPN Concentrator. He can connect ~2 of 50 times, on average. I find the information below in the Concentrator log files, and I was hoping someone on this list might be able to point me the right direction. 50235 10/23/2002 17:44:00.930 SEV=4 IKE/52 RPT=1217 201.214.18.178 Group [VPNUser] User [DOMAINX\mwilliams] User (DOMAINX\mwilliams) authenticated. 50236 10/23/2002 17:44:01.760 SEV=5 IKE/184 RPT=1215 201.214.18.178 Group [VPNUser] User [DOMAINX\mwilliams] Client OS: N/A Client Application Version: 3.5 (Rel) 50238 10/23/2002 17:44:37.610 SEV=4 IKEDBG/65 RPT=397 201.214.18.178 Group [VPNUser] User [DOMAINX\mwilliams] IKE TM V6 FSM error history (struct &0x4c5db3c) , : TM_DONE, EV_ERROR TM_WAIT_QM_MSG, EV_TIMEOUT TM_WAIT_QM_MSG, NullEvent TM_SND_REPLY, EV_SND_MSG 50243 10/23/2002 17:44:37.610 SEV=4 IKEDBG/65 RPT=398 201.214.18.178 Group [VPNUser] User [DOMAINX\mwilliams] IKE AM Responder FSM error history (struct &0x5bd1bd0) , : AM_DONE, EV_ERROR AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL AM_TM_INIT_MODECFG_V6H, NullEvent AM_TM_INIT_MODECFG, EV_WAIT 50249 10/23/2002 17:45:02.350 SEV=4 IKE/136 RPT=249 201.214.18.178 Group [VPNUser] User [DOMAINX\mwilliams] IKE session establishment timed out [AM_WAIT_DELETE], aborting! 50251 10/23/2002 17:45:12.350 SEV=4 IKE/136 RPT=250 201.214.18.178 Group [VPNUser] User [DOMAINX\mwilliams] IKE session establishment timed out [AM_WAIT_DELETE], aborting! 50253 10/23/2002 17:45:22.350 SEV=4 IKE/137 RPT=124 201.214.18.178 Group [VPNUser] User [DOMAINX\mwilliams] Reaper overriding refCnt [0] and tunnelCnt [2] -- deleting SA! Any explanations, or references to some night time reading material (relative to this!) would be greatly appreciated. Thanks in advance! Evan Francen, CCNP efrancen at jasc.com From venicio_boas at br.schindler.com Thu Oct 24 12:17:32 2002 From: venicio_boas at br.schindler.com (venicio_boas at br.schindler.com) Date: Thu, 24 Oct 2002 13:17:32 -0300 Subject: [VPN] VPN questions Message-ID: Dear Tina Bird Can I use Windows 2000 for building a VPN S2S without use hardware equipment such as Cisco concentrator ? What are advantages and disadvantage in both cases ? Can I use Windows 2000 for building access remote VPN without use Cisco client in connection Cisco concentrator or Alladin for it ? Why to use Alladin client to connect Microsft Certificate ? Can I use a solution purely Microsoft ? What are advantage and disadvantages in both cases ? Thank you very much for some help Venicio Vilas-B?as Elevadores Atlas Schindler S/A Tel. 55 11 6120-5431 Venicio Vilas-B?as Elevadores Atlas Schindler S/A Tel. 55 11 6120-5431 From omer at faruk.net Sat Oct 26 09:57:44 2002 From: omer at faruk.net (Omer Faruk Sen) Date: Sat, 26 Oct 2002 09:57:44 -0400 Subject: [VPN] l2tpd and nat Message-ID: <20021026135744.18395.qmail@fuzuli.enderunix.org> I am planning to setup a l2tp LNS on linux (l2tpd) but I am planning to use NAT for it which LNS server's IP address will be one of RFC 1918 IP. But I have a question. Does l2tp packet's payload(data stream) contains IP addresses ? I have skimmed RFC 2661 and I think it is possible to set up lns behind nat. But I wanted to be sure for that. Thanks in advance. =-=-=-=-=-=-=-=-=-=-=- Omer Faruk Sen http://www.faruk.net For Public Key: http://www.faruk.net/omer.asc From djdawso at qwest.com Fri Oct 25 13:33:19 2002 From: djdawso at qwest.com (Dana J. Dawson) Date: Fri, 25 Oct 2002 12:33:19 -0500 Subject: [VPN] Cisco 3015 Log References: Message-ID: <3DB9805F.4030208@qwest.com> Anytime I see some that work intermittently and includes timeouts I start thinking packet loss. Since it's only affecting this user, I look closer at his end of the link first. And check everything, including any LAN connections, since we see a lot of situations where ethernet auto negotiation doesn't work correctly, causing high packet loss and bad connections. Good luck! Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Communications (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." Evan Francen wrote: >I have one user that's having problems connecting to our Cisco 3015 VPN >Concentrator. He can connect ~2 of 50 times, on average. I find the >information below in the Concentrator log files, and I was hoping someone on >this list might be able to point me the right direction. > >50235 10/23/2002 17:44:00.930 SEV=4 IKE/52 RPT=1217 201.214.18.178 >Group [VPNUser] User [DOMAINX\mwilliams] >User (DOMAINX\mwilliams) authenticated. > >50236 10/23/2002 17:44:01.760 SEV=5 IKE/184 RPT=1215 201.214.18.178 >Group [VPNUser] User [DOMAINX\mwilliams] >Client OS: N/A >Client Application Version: 3.5 (Rel) > >50238 10/23/2002 17:44:37.610 SEV=4 IKEDBG/65 RPT=397 201.214.18.178 >Group [VPNUser] User [DOMAINX\mwilliams] >IKE TM V6 FSM error history (struct &0x4c5db3c) >, : >TM_DONE, EV_ERROR >TM_WAIT_QM_MSG, EV_TIMEOUT >TM_WAIT_QM_MSG, NullEvent >TM_SND_REPLY, EV_SND_MSG > >50243 10/23/2002 17:44:37.610 SEV=4 IKEDBG/65 RPT=398 201.214.18.178 >Group [VPNUser] User [DOMAINX\mwilliams] >IKE AM Responder FSM error history (struct &0x5bd1bd0) >, : >AM_DONE, EV_ERROR >AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL >AM_TM_INIT_MODECFG_V6H, NullEvent >AM_TM_INIT_MODECFG, EV_WAIT > >50249 10/23/2002 17:45:02.350 SEV=4 IKE/136 RPT=249 201.214.18.178 >Group [VPNUser] User [DOMAINX\mwilliams] >IKE session establishment timed out [AM_WAIT_DELETE], aborting! > >50251 10/23/2002 17:45:12.350 SEV=4 IKE/136 RPT=250 201.214.18.178 >Group [VPNUser] User [DOMAINX\mwilliams] >IKE session establishment timed out [AM_WAIT_DELETE], aborting! > >50253 10/23/2002 17:45:22.350 SEV=4 IKE/137 RPT=124 201.214.18.178 >Group [VPNUser] User [DOMAINX\mwilliams] >Reaper overriding refCnt [0] and tunnelCnt [2] -- deleting SA! > >Any explanations, or references to some night time reading material >(relative to this!) would be greatly appreciated. >Thanks in advance! > >Evan Francen, CCNP >efrancen at jasc.com > >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn > > > > From mark.osborne at awhc.com Fri Oct 25 15:07:06 2002 From: mark.osborne at awhc.com (Mark Osborne) Date: Fri, 25 Oct 2002 15:07:06 -0400 Subject: [VPN] VPN for Wireless Access: Message-ID: <7AC168FF7514C245926C699397E84E53AD2D@PREX01> Hello All, I am running Symantec Enterprise Firewall 7.0 and have several VPN clients tunneling in (via wireless internet access from Verizon Wireless) using Raptor Mobile version 6.5 running on Windows ME and 2000 , everything works fine. However, we are in the process of purchasing iPAQ Pocket PC PDA's that use the Microsoft Pocket PC 2002 Operating System and will also be using Verizon Wireless for our wireless ISP. Does anyone know of a good VPN that will work on this OS and be compatible with my Symantec Firewall as well. Thanks for the help. Mark From szii at sziisoft.com Fri Oct 25 15:58:26 2002 From: szii at sziisoft.com (szii at sziisoft.com) Date: Fri, 25 Oct 2002 12:58:26 -0700 Subject: [VPN] CryptoCluster Issues References: <20021026135744.18395.qmail@fuzuli.enderunix.org> Message-ID: <001601c27c60$e1bfe730$ef02a8c0@thewavemedia.com> I know it's ancient, but it's what I have to work with 1 Alchemy CryptoCluster with no PCMCIA cards (both slots open), no documentation, no contact information, nada. Nokia is not being helpfull either since they're discontinued the line. Bah. Does anyone have ANY information on this thing? I cannot find documentation of any kind on the 'net and cannot even find manuals available on eBay. Major Questions: 1) What filesystem/manufacturer do the cards need to be? Flash memory or PCMCIA harddrives? 2) Does the system simply boot from pcmcia and run whatever OS it finds, or is the PCMCIA simply for storing configuration data? Right now I cannot get past "recovery mode" because the darn thing won't recognize anything I try for flash cards. Ideas? Anyone know of a non-Google'd quickstart guide? Tips and Tricks? Anyone with manuals/flashcards for sale? I've been playing with this thing for almost a week now, between research and shotgunning different things. I'm now trying formatting the PCMCIA card in other machines under different filesystems just to try and get SOMETHING to work. Thanks! -Mike From vofka at hotpop.com Tue Oct 29 07:50:46 2002 From: vofka at hotpop.com (Mike Insch) Date: Tue, 29 Oct 2002 12:50:46 +0000 Subject: [VPN] Problems between FreeBSD and Netscreen Message-ID: <200210291250.46099.vofka@hotpop.com> I am trying to set up an IPSec VPN between a FreeBSD Box (FreeBSD 4.6.2-RELEASE with Racoon-20020507a), and a Netscreen 25. I only have control of the FreeBSD box, the Netscreen belongs to a client. I Think I have the SPD Entries configured correctly, and I am reasonably sure that the racoon.conf file is right, but I am still getting Timeouts at IKE Phase 1. I am using 3DES, SHA1 and DH Group 5 (mdop1536). I can get a good traceroute from the BSD Box to the final hop before the NS25 (the NS is blackholeing all ICMP), so I am confident that general communications to the NS Box is good. Does anyone have any suggestions as to where I can look to see what may be causing the timeout problem? Has anyone successfully got FreeBSD speaking to an NS25? If you have, would you mind posting example configs for Racoon and for the NS (that way I can ask my client to verify his end of the link)? Any assistance would be greatly appreciated, Kind Regards, Mike Insch, IT Engineer. From Joel.Snyder at Opus1.COM Tue Oct 29 13:22:25 2002 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Tue, 29 Oct 2002 11:22:25 -0700 (MST) Subject: [VPN] CryptoCluster Issues In-Reply-To: "Your message dated Fri, 25 Oct 2002 12:58:26 -0700" <001601c27c60$e1bfe730$ef02a8c0@thewavemedia.com> References: <20021026135744.18395.qmail@fuzuli.enderunix.org> Message-ID: <01KO8HQNOIF09QX0NP@Opus1.COM> >I know it's ancient, but it's what I have to work with Actually, it's not that ancient... Well, if it says "Alchemy," then it probably is 2000-vintage, since Nokia bought them in 2000 mid-year. Which model? 2500? 5000? 5100? 5200? If you have two of them, they make a wicked GATED high-availability routing cluster. Or VPN, or PPTP, or L2TP. >1 Alchemy CryptoCluster with no PCMCIA cards (both slots open), > no documentation, no contact information, nada. Nokia is not being > helpfull either since they're discontinued the line. Without a PCMCIA card, you are completely out of luck. Any linear (not ATA) flash card will work fine; the Intel Value Series 200 (8 Mb) is really common and should be fine. AMD D series also work, also the Intel Value 100 16 Mb, although that's about 14 more Mb than you really need. What you do is boot up into the recovery kernel and format the flash, then you can TFTP down files to the flash from someplace where you happen to have stashed them. The filesystem is proprietary. The system boots from PCMCIA and runs the OS it finds there. Trying other file systems isn't going to get you anywhere. I don't know what the support issue is, but if you go to ftp.network-alchemy.com, you can get all the current software & manuals. You will need the GUI (PolicyManager) unless you want to maintain the config via a CLI, which I strongly DIS-recommend. Plus, the actual kernel. Those two files (one for your workstation; one for the FLASH) are all you need to get going. The .SR file (StingRay) is for 500/2500; the .KL (KiltLifter) is for 5xxx series. jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One >Bah. >Does anyone have ANY information on this thing? I cannot find >documentation of any kind on the 'net and cannot even find manuals >available on eBay. >Major Questions: >1) What filesystem/manufacturer do the cards need to be? Flash memory > or PCMCIA harddrives? >2) Does the system simply boot from pcmcia and run whatever OS it finds, > or is the PCMCIA simply for storing configuration data? >Right now I cannot get past "recovery mode" because the darn thing won't >recognize anything I try for flash cards. >Ideas? Anyone know of a non-Google'd quickstart guide? Tips and Tricks? >Anyone with manuals/flashcards for sale? I've been playing with this thing >for almost a week now, between research and shotgunning different things. >I'm now trying formatting the PCMCIA card in other machines under different >filesystems just to try and get SOMETHING to work. >Thanks! >-Mike >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn From ylee at net50.com Tue Oct 29 18:39:10 2002 From: ylee at net50.com (Yang Lee) Date: Tue, 29 Oct 2002 15:39:10 -0800 Subject: [VPN] Problems between FreeBSD and Netscreen In-Reply-To: <200210291250.46099.vofka@hotpop.com> Message-ID: What's the version of your ScreenOS? Can you borrow a NS box for testing in the lab? Also if you (your client) have a support contract with Netscreen, you'll find out they are very helpful. Regards, -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com]On Behalf Of Mike Insch Sent: Tuesday, October 29, 2002 4:51 AM To: vpn at lists.shmoo.com Subject: [VPN] Problems between FreeBSD and Netscreen I am trying to set up an IPSec VPN between a FreeBSD Box (FreeBSD 4.6.2-RELEASE with Racoon-20020507a), and a Netscreen 25. I only have control of the FreeBSD box, the Netscreen belongs to a client. I Think I have the SPD Entries configured correctly, and I am reasonably sure that the racoon.conf file is right, but I am still getting Timeouts at IKE Phase 1. I am using 3DES, SHA1 and DH Group 5 (mdop1536). I can get a good traceroute from the BSD Box to the final hop before the NS25 (the NS is blackholeing all ICMP), so I am confident that general communications to the NS Box is good. Does anyone have any suggestions as to where I can look to see what may be causing the timeout problem? Has anyone successfully got FreeBSD speaking to an NS25? If you have, would you mind posting example configs for Racoon and for the NS (that way I can ask my client to verify his end of the link)? Any assistance would be greatly appreciated, Kind Regards, Mike Insch, IT Engineer. _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From TKoopman at SonicWALL.com Tue Oct 29 19:54:57 2002 From: TKoopman at SonicWALL.com (TKoopman at SonicWALL.com) Date: Tue, 29 Oct 2002 16:54:57 -0800 Subject: [VPN] IPSEC client for Solaris 8 Message-ID: Does anyone know if Solaris 8.0 has either a native or 3rd party IPSEC compatible VPN client? I'm looking for vpn software to run on Solaris 8 and build a tunnel back to a SonicWALL. Regards Todd Koopman Systems Engineer SonicWALL From yararat at go-documenta.com Wed Oct 30 06:22:05 2002 From: yararat at go-documenta.com (yararat) Date: Wed, 30 Oct 2002 13:22:05 +0200 Subject: [VPN] Setting a computer with "Real" IP Message-ID: <000901c28006$985854c0$3201010a@ts.com> I want to set a computer behind a FireBox and a netscreen to be available as a web server to the web. First my question is if it is possible and if so how do I configure it? Is it merely a change of the IP to a "Real" IP and the gateway DNS and so on or do I need to change some thing in the appliances? Regards Yuval Ararat From cgripp at automotive.com Wed Oct 30 11:42:36 2002 From: cgripp at automotive.com (Chris Gripp) Date: Wed, 30 Oct 2002 08:42:36 -0800 Subject: [VPN] Setting a computer with "Real" IP Message-ID: >From behind a Netscreen you would set up a MIP (Mapped IP) and redirect the service port to the Internal IP. However, I have had some trouble redirecting services that the Netscreen itself was listening for. I.e. you can't have the Web GUI enabled on port 80 AND redirect port 80 via a MIP. Chris Gripp Sr.-Original Message----- From: yararat [mailto:yararat at go-documenta.com] Sent: Wednesday, October 30, 2002 3:22 AM To: VPN at lists.shmoo.com Subject: [VPN] Setting a computer with "Real" IP I want to set a computer behind a FireBox and a netscreen to be available as a web server to the web. First my question is if it is possible and if so how do I configure it? Is it merely a change of the IP to a "Real" IP and the gateway DNS and so on or do I need to change some thing in the appliances? Regards Yuval Ararat _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. Automotive.com, Inc., 1901 E. Carnegie Unit 1-Q, Santa Ana, CA 92705, (949)261-9899 From osmond at holburn.com Wed Oct 30 12:01:22 2002 From: osmond at holburn.com (Chad Osmond) Date: Wed, 30 Oct 2002 12:01:22 -0500 Subject: [VPN] Setting a computer with "Real" IP References: Message-ID: <01a501c28035$f94584e0$6d01a8c0@HOLBURN1000> >From behind a Netscreen you would set up a MIP (Mapped IP) and redirect the service port >to the Internal IP. However, I have had some trouble redirecting services that the Netscreen >itself was listening for. I.e. you can't have the Web GUI enabled on port 80 AND redirect >port 80 via a MIP. Just disable the public side management, move the private side to a different IP and you should be fine. From TomM at spectrum-systems.com Wed Oct 30 15:16:12 2002 From: TomM at spectrum-systems.com (Tom McHugh) Date: Wed, 30 Oct 2002 15:16:12 -0500 Subject: [VPN] Setting a computer with "Real" IP Message-ID: <2A0DB5123A51874C82699788F0985ED2064F17@sith.spectrum-systems.com> In the NetScreen devices, a Mapped IP ("MIP") should not have any problem if the external address being mapped is not the same as the NetScreen's own IP. I usually see the problem you are describing with Virtual IPs ("VIPs") when the IP being "virtualized" is that of the NetScreen's Untrust interface. I haven't tried it, but you might be able to get around the problem by setting the web management port to something other than 80, though. Admin -> Web, change the "Web port" field. HTH, Tom Tom McHugh, Senior Systems Engineer mailto:tomm at spectrum-systems.com Spectrum Systems, Inc. "Today's Technology--Solutions for Tomorrow" 11320 Random Hills Road, Suite 630 Fairfax, VA 22030-6001 703-591-7400 x218 703-591-9780 (Fax) http://www.spectrum-systems.com/ Stop struggling with your network! You can save yourself the headache of total network management and save money at the same time by using the help and expertise of experienced professionals. Call us at 800-929-3781 or visit us at http://www.spectrum-systems.com to learn more. > -----Original Message----- > From: Chris Gripp [mailto:cgripp at automotive.com] > Sent: Wednesday, October 30, 2002 11:43 AM > To: yararat at go-documenta.com; VPN at lists.shmoo.com > Subject: RE: [VPN] Setting a computer with "Real" IP > > > From behind a Netscreen you would set up a MIP (Mapped IP) > and redirect the service port to the Internal IP. However, I > have had some trouble redirecting services that the Netscreen > itself was listening for. I.e. you can't have the Web GUI > enabled on port 80 AND redirect port 80 via a MIP. > > Chris Gripp > Sr.-Original Message----- > From: yararat [mailto:yararat at go-documenta.com] > Sent: Wednesday, October 30, 2002 3:22 AM > To: VPN at lists.shmoo.com > Subject: [VPN] Setting a computer with "Real" IP > > > I want to set a computer behind a FireBox and a netscreen to be > available as a web server to the web. > First my question is if it is possible and if so how do I > configure it? > Is it merely a change of the IP to a "Real" IP and the gateway DNS and > so on or do I need to change some thing in the appliances? > > Regards > > Yuval Ararat > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > This email and any files transmitted with it are confidential > and intended solely for the use of the individual or entity > to whom they are addressed. If you have received this email > in error please notify the system manager. Please note that > any views or opinions presented in this email are solely > those of the author and do not necessarily represent those of > the company. Finally, the recipient should check this email > and any attachments for the presence of viruses. The company > accepts no liability for any damage caused by any virus > transmitted by this email. > > Automotive.com, Inc., 1901 E. Carnegie Unit 1-Q, Santa Ana, > CA 92705, (949)261-9899 > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From engelhard at netmarks.co.jp Wed Oct 30 20:41:03 2002 From: engelhard at netmarks.co.jp (Engelhard M. Labiro) Date: Thu, 31 Oct 2002 10:41:03 +0900 Subject: [VPN] Cisco VPN Client with Aironet on ThinkPad WinXP Message-ID: <20021031103718.D13C.ENGELHARD@netmarks.co.jp> Hi all, Does anyone experience problem when installing Cisco VPN3000 client on an IBM Think Pad loaded with Windows XP + Aironet Wireless ? We have a problem here, the Windows XP freeze, and couldn`t boot. We couldn`t find what caused the problem. Would like to share if anyone experience the same problem. Best Regards, Engel From kazuki.kamiya at uniadex.co.jp Thu Oct 31 02:21:43 2002 From: kazuki.kamiya at uniadex.co.jp (kazuki kamiya) Date: Thu, 31 Oct 2002 16:21:43 +0900 Subject: [VPN] VPN3000 and Ascend RADiUS Message-ID: Hi all Does vpn3000 work with Ascend RADIUS?I If vpn3000 work with ascend RADISU, I want to knou how to configure RADIUS. Should I add vender specific attribute to Default dictionary file? And I want to know minimum configuration of user file. Do I only need write username , groupname, password? (Sample of Other RADIUS is OK too) Any assistance would be greatly appreciated, From jwang at bstormnetworks.com Thu Oct 31 11:59:03 2002 From: jwang at bstormnetworks.com (Jing Wang) Date: Thu, 31 Oct 2002 08:59:03 -0800 Subject: [VPN] Unknown type IKE attribute in Contivity Message-ID: <40301581B2962B448690A023EF16DFE12A36CF@bsn-mail-01.bstormnetworks.com> I am trying to set up an IPSec tunnel between a Nortel contivity VPN client and an VPN server powered by SSH engine. The contivity client will start IKE phase I negotiation with aggressive mode. The problem is the contivity client always sends its an unknown type attribut in it SA proposals. The type is 32767 and value is 10. It is not a standard type and I cannot find an place explain this type. So the SSH engine cannot recogize this attribute and reject the proposal. Does anyone know about this SA? If you have a contivity client installed, have you faced the similar problem before? Any help is highly appreciated. Best regards, Jing Wang Black Storm Networks From A.Benallegue at ecmwf.int Thu Oct 31 12:11:10 2002 From: A.Benallegue at ecmwf.int (Ahmed Benallegue) Date: Thu, 31 Oct 2002 17:11:10 +0000 Subject: [VPN] CPU usage due to IPSec tunnels on Cisco routers References: <20021015113420.2d8cf4d7.dgoldsmith@sans.org> Message-ID: <3DC1642E.1030805@ecmwf.int> Hello all, I am writing a recommondation document regarding the implementation of IPSec using Cisco routers. The remote sites (50 in all) linked to our HQ use different Cisco routers from 1600 to 7140... I performed some internal IPSec tests (mainly ftps through established tunnels and "show proc cpu" command) using a 1605 and a 7140 router. So I was able to see the CPU usage overload due to the use of IPSec, which is very important when using a small router (1605) without any encryption card. I need now to draw some conclusions about the relationship between the CPU usage and Cisco router features (model, RAM, DRAM, ) and possibly what is the acceptable limit regarding the CPU usage on a Cisco router in general. So if anyone has any idea about where I can find any information regarding this (I had a look on Cisco website with no success). Thanx Cheers Ahmed From engelhard at netmarks.co.jp Thu Oct 31 17:10:53 2002 From: engelhard at netmarks.co.jp (Engelhard M. Labiro) Date: Fri, 01 Nov 2002 07:10:53 +0900 Subject: [VPN] VPN3000 and Ascend RADiUS In-Reply-To: References: Message-ID: <20021101070102.ED89.ENGELHARD@netmarks.co.jp> Hi Kazuki, We have implementation of VPN3000 with user`s authentication to Ascend RADIUS. There was a little problem but no big issues. If you only does authentication, then no need to add vendor specific attributes. Means that the RADIUS only return back "yes" or "no" to the Concentrator and let the Concentrator handles the other user`s parameters. You may try CCO page for sample of configuring RADIUS. See the section of "CVPN 3000 Concentrator and Authentication". Best Regards, Engel On Thu, 31 Oct 2002 16:21:43 +0900 "kazuki kamiya" wrote: > > Hi all > > Does vpn3000 work with Ascend RADIUS?I > > If vpn3000 work with ascend RADISU, I want to knou how > to configure RADIUS. > Should I add vender specific attribute to Default dictionary file? > And I want to know minimum configuration of user file. > Do I only need write username , groupname, password? > (Sample of Other RADIUS is OK too) > > Any assistance would be greatly appreciated, > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn From kejvan at cdg.chalmers.se Thu Oct 31 17:54:16 2002 From: kejvan at cdg.chalmers.se (Kejvan Redjamand) Date: Thu, 31 Oct 2002 23:54:16 +0100 (MET) Subject: [VPN] VPN3000 and Ascend RADiUS In-Reply-To: Message-ID: Hi Does anybody know a free radius implementation that works with Cisco 3000? Any help of great importance! Kejv > Hi all > > Does vpn3000 work with Ascend RADIUS?I > > If vpn3000 work with ascend RADISU, I want to knou how > to configure RADIUS. > Should I add vender specific attribute to Default dictionary file? > And I want to know minimum configuration of user file. > Do I only need write username , groupname, password? > (Sample of Other RADIUS is OK too) > > Any assistance would be greatly appreciated, From Joel.Snyder at Opus1.COM Thu Oct 31 18:05:47 2002 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Thu, 31 Oct 2002 16:05:47 -0700 (MST) Subject: [VPN] Remote Access VPN Review in Network World Message-ID: <01KOBK7ADT489QWNF6@Opus1.COM> In your mailbox today should be this week's Network World (10/28) which has a long and detailed review of Remote Access VPN (IPsec) products. Unfortunately, due to a copy editing error, the Pros/Cons summary as well as the scorecard in the printed version are wrong. Please pay the pretty graphical parts of the printed version no mind... They're wrong. You can, however, read the ACCURATE Pros/Cons and Scorecard if you're interested in the on-line version. The URL to start with is: http://www.nwfusion.com/reviews/2002/1028bg.html (An overview of the whole review) Or, you can jump right to: http://www.nwfusion.com/reviews/2002/1028bgrev.html (the main body of the review) http://www.nwfusion.com/reviews/2002/1028bgipsec.html (my sage advice on how RA VPNs have changed the last year) http://www.nwfusion.com/reviews/2002/1028bgipsecalt.html (alternatives to IPsec, specifically SSL-based VPNs) http://www.nwfusion.com/reviews/2002/1028bgchart.html (a chart showing per-user pricing for 100/1000/10000 users) and so on. There's also a chart which helps compare 115 different VPN products based on information submitted by the vendor, a quick discussion on multi-platform support in remote access VPNs, and a testing methodology showing how we evaluated the products. Well thought-out comments welcome... jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One