[VPN] Multiple VPN connections PIX

Greg Owens Jr greg.l.owens at verizon.net
Thu Apr 17 08:26:19 EDT 2003


Subject: [VPN] Multiple VPN connections PIX





Is there any way to configure multiple simultaneously VPN connections only
using cisco PIX. If not what other solution are available ? Yes the PIX can
do this. Just configure some crypto map with different numebers


Greg Owens
202-398-2552
fax 202-399-7690
 

-----Original Message-----
From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf
Of vpn-request at lists.shmoo.com
Sent: Thursday, April 17, 2003 8:00 AM
To: vpn at lists.shmoo.com
Subject: VPN digest, Vol 1 #157 - 8 msgs

Send VPN mailing list submissions to
	vpn at lists.shmoo.com

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.shmoo.com/mailman/listinfo/vpn
or, via email, send a message with subject or body 'help' to
	vpn-request at lists.shmoo.com

You can reach the person managing the list at
	vpn-admin at lists.shmoo.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of VPN digest..."


Today's Topics:

   1. Ang: [VPN] IPSEC or PPTP over Nextel Packetstream Gold
(hakan.palm at generic.se)
   2. RE: IPSEC or PPTP over Nextel Packetstream Gold (Jim Atherton)
   3. vpn on a lan running win98se (derricko at dwightcav.com)
   4. Re: Re: [VPN] VPN help (safieradam)
   5. Clientless VPN (safieradam)
   6. Multiple VPN connections PIX (jmondaca at entelsa.entelnet.bo)
   7. RE: IPSEC or PPTP over Nextel Packetstream Gold (Jac)
   8. Re: Clientless VPN (safieradam)

--__--__--

Message: 1
From: hakan.palm at generic.se
Date: Tue, 15 Apr 2003 23:08:21 +0200
To: jim.atherton at netifice.com
Cc: vpn at lists.shmoo.com
Subject: Ang: [VPN] IPSEC or PPTP over Nextel Packetstream Gold

Jim,

are you trying to connect to a  Cisco VPN 3002 Hardware
Client with another client?
If so, the simple answer is as far as I know, no you can not
terminate the VPN tunnel from another client like the Cisco
VPN Client at the VPN 3002=2E Simply because the Cisco
VPN 3002 is a hardware client and not a concentrator=2E

For a mobile solution the VPN 3000 Concentrator range i
IMNHO really nice to work with and well suited=2E You can
use the Cisco VPN Client on a laptop running all but the
archaic versions of Windows, Mac OS X, Linux=2E=2E=2E There are
3rd party support for older Mac OS, Symbian, Pocket PC
and PalmOS=2E

HTH

Regards,
/Palm




	jim=2Eatherton at netifice=2Ecom
2003-04-15 20:35
		
	Till:	vpn at lists=2Eshmoo=2Ecom @ INTERNET
	Kopia:	(Blank: Hakan Palm/Generic)
	=C4rende:	[VPN] IPSEC or PPTP over Nextel Packetstream Gold

I need a mobile connectivity solution that supports either (I would like
both and prefer IPSEC) IPSEC (Specifically Cisco VPN client 3=2E5=2Ex or
later)
or PPTP (via Windows 2000 native PPTP)=2E I need to connect to a Cisco VPN
3000 hardware client=2E I looked into this last year and actually tested
with
Nextel and neither worked and the guys at Nextel didn't know why=2E I ran
across an old mail archive here that said that the compression used by
Nextel Packetstream Gold used a compression technology that precluded use of
IPSEC and that this would change sometime in the last quarter of 2002=2E
Does
anyone have any info about the current or near term status of this product?
My company sells a set of VPN products and services and a useful mobile
wireless VPN solution is needed=2E Before Richocet crashed we did some stuff
with them=2E But since then we have had no wireless mobile solution=2E If
there
are any other cost effective mobile wireless solutions out there I would
like to know=2E Personally, I need connectivity via my laptop and a can
accept
speeds of around 28=2E8 (true speed) but would like higher speeds=2E Lower,
more
expensive solutions are not currently acceptable=2E I cannot for instance
use
some sort of high speed satellite connection due to cost=2E

Thanks for any info=2E


_______________________________________________
VPN mailing list
VPN at lists=2Eshmoo=2Ecom
http://lists=2Eshmoo=2Ecom/mailman/listinfo/vpn





--__--__--

Message: 2
From: Jim Atherton <jim.atherton at netifice.com>
To: "'hakan.palm at generic.se'" <hakan.palm at generic.se>,
	Jim Atherton <jim.atherton at netifice.com>
Cc: vpn at lists.shmoo.com
Subject: RE: [VPN] IPSEC or PPTP over Nextel Packetstream Gold
Date: Tue, 15 Apr 2003 14:18:55 -0700

Guess I need to be a little more clear. We use the VPN 3000 =
concentrator. I
have a laptop. I need to connect to my work environment with my laptop =
over
some mobile (moving) method. I have the VPN 3000 software client on my =
PC
and Windows 2000 PPTP (which the VPN 3000 also will allow as a client). =
I
have a Nextel phone. I noticed that Nextel has a mobile connectivity
solution (Packetstream gold) and tried about 6 months ago to make it =
work.
It didn't. There is an old thread somewhere on this server that states =
that
Motorola's compression hardware used by Nextel did not support IPSEC
compression (this was during the summer of 2002) but that it would in =
late
2002. I am trying to find info about whether or not it does now (Nextel =
has
no clue and noone at Nextel (that I can reach) knows anything about the
technical details of this product Packetstream Gold. Also would accept
alternative cost effective methods (have to approach at least 28.8 =
speeds).
This is an interesting area that noone seems to have a clue about. =
Since my
company resells various VPN solutions nationwide, I have a feeling at =
least
of the potential for this as a product and am a little surprised that =
noone
has filled this gap.

-----Original Message-----
From: hakan.palm at generic.se [mailto:hakan.palm at generic.se]
Sent: Tuesday, April 15, 2003 5:08 PM
To: jim.atherton at netifice.com
Cc: vpn at lists.shmoo.com
Subject: Ang: [VPN] IPSEC or PPTP over Nextel Packetstream Gold


Jim,

are you trying to connect to a  Cisco VPN 3002 Hardware
Client with another client?
If so, the simple answer is as far as I know, no you can not
terminate the VPN tunnel from another client like the Cisco
VPN Client at the VPN 3002. Simply because the Cisco
VPN 3002 is a hardware client and not a concentrator.

For a mobile solution the VPN 3000 Concentrator range i
IMNHO really nice to work with and well suited. You can
use the Cisco VPN Client on a laptop running all but the
archaic versions of Windows, Mac OS X, Linux... There are
3rd party support for older Mac OS, Symbian, Pocket PC
and PalmOS.

HTH

Regards,
/Palm




	jim.atherton at netifice.com
2003-04-15 20:35
	=09
	Till:	vpn at lists.shmoo.com @ INTERNET
	Kopia:	(Blank: Hakan Palm/Generic)
	=C4rende:	[VPN] IPSEC or PPTP over Nextel Packetstream Gold

I need a mobile connectivity solution that supports either (I would =
like
both and prefer IPSEC) IPSEC (Specifically Cisco VPN client 3.5.x or =
later)
or PPTP (via Windows 2000 native PPTP). I need to connect to a Cisco =
VPN
3000 hardware client. I looked into this last year and actually tested =
with
Nextel and neither worked and the guys at Nextel didn't know why. I ran
across an old mail archive here that said that the compression used by
Nextel Packetstream Gold used a compression technology that precluded =
use of
IPSEC and that this would change sometime in the last quarter of 2002. =
Does
anyone have any info about the current or near term status of this =
product?
My company sells a set of VPN products and services and a useful mobile
wireless VPN solution is needed. Before Richocet crashed we did some =
stuff
with them. But since then we have had no wireless mobile solution. If =
there
are any other cost effective mobile wireless solutions out there I =
would
like to know. Personally, I need connectivity via my laptop and a can =
accept
speeds of around 28.8 (true speed) but would like higher speeds. Lower, =
more
expensive solutions are not currently acceptable. I cannot for instance =
use
some sort of high speed satellite connection due to cost.

Thanks for any info.


_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn




--__--__--

Message: 3
From: derricko at dwightcav.com
To: <vpn at lists.shmoo.com>
Date: Wed, 16 Apr 2003 15:55:52 +0100
Subject: [VPN] vpn on a lan running win98se

This is a multi-part message in MIME format.

------=_NextPart_000_001F_01C30430.A88C1580
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

We have a small LAN at work which is peer-to-peer, running win98se, =
proxy server software to ADSL, is it possible to make our 'fileserver' =
act as a server so the chairman can log on remotely as if he was in his =
office.

If so what software do you suggest?

regards

Derrick
------=_NextPart_000_001F_01C30430.A88C1580
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2>We have a small LAN at work which is peer-to-peer, =
running=20
win98se, proxy server software to ADSL, is it possible to make our =
'fileserver'=20
act as a server so the chairman can log on remotely as if he was in his=20
office.</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>If&nbsp;so what software do you =
suggest?</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>regards</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>Derrick</FONT></DIV></BODY></HTML>

------=_NextPart_000_001F_01C30430.A88C1580--




--__--__--

Message: 4
From: "safieradam" <safieradam at hotmail.com>
To: <hakan.palm at generic.se>
Cc: <aquamjb at mac.com>, <vpn at lists.shmoo.com>
Subject: Re: Re: [VPN] VPN help
Date: Wed, 16 Apr 2003 10:32:01 -0400

I wonder if this service would work on a PDA set up for browsing the
internet.  The client is  Java applet downloaded from the gateway and they
have a "wireless" version.....

https://www.gotomypc.com

Adam Safier

----- Original Message -----
From: <hakan.palm at generic.se>
To: <safieradam at hotmail.com>
Cc: <aquamjb at mac.com>; <vpn at lists.shmoo.com>
Sent: Sunday, April 13, 2003 8:44 AM
Subject: Ang: Re: [VPN] VPN help


Ceritcom's movianVPN client,
www.certicom.com/products/movian/movianvpn.html,
can be used to connect to e.g. Cisco VPN 3000 and runs on PalmOS, Pocket PC
and
Symbian. They also have a FIPS-140-2 compliant client for PalmOS and Pocket
PC.

Might be worth looking at...

HTH,

/Palm




--__--__--

Message: 5
From: "safieradam" <safieradam at hotmail.com>
To: <vpn at lists.shmoo.com>
Date: Wed, 16 Apr 2003 12:10:55 -0400
Subject: [VPN] Clientless VPN

I'm raising the specter of clientless VPN again because I came across this
service which seems to meet the requirements:

I do consider this a form of VPN.  They may only be transmitting the screen
image, essentially pcAnywhere like, but the functionality of getting the
work done is there.

They download the client as a java app so the user does not need to do
special installation.  Instead, it keeps polling a service server so the
initial connection is outbound.

Despite my security issues with it this is very attractive.  Even has PDA,
Mac and Unix support....

https://www.gotomypc.com

Security issues:

Password user authentication only.  I assume this will change as the service
evolves. On the positive side, they do seem to use digital signatures on the
target - " multiple passwords, including an access code that resides on the
host computer and is never transmitted or stored on GoToMyPC servers ".

They advertise/encourage using Kiosk PC's for the client.  If you are using
someone else's PC you cannot be sure key-stroke/screen/memory logging is not
going on so your personal passwords could be captured.  A PC/PDA you control
is better as long as you didn't execute some malware along the line.

- You trust the service / software. You are downloading their Java applet,
which could change anytime.  You are essentially trusting them to encrypt
the link from the client to the host and not peek.  Well, the company trusts
the VPN admin for the company VPN so if you have a contract with GoTo...
That is what security is all about - who do you trust and for what?

- Can bypasses firewall.  At least our firewall policy needs review and this
could be a headache.  Both the client and the "target" initiate outbound
connections to a third party service.  If you company policy allows outbound
surfing to just about any address your users could set this up to or from
their office PC without your knowledge.  You may need to implement IP and
DNS name filtering for outbound traffic.  That will only work if GoToMyPC
play nice and don't get into rotating names and addresses or sell the server
part to companies that use their own IP addresses to set up a corporate
service.  URL content filtering on outbound traffic might work.

- Does the phrase below mean that if your policy is to disabled all
downloading on the users PC GoToMyPC launch their own program that ignores
the browser and downloads and runs a Java app?
" For a user who connects to the host computer via a client with a Mac or
Unix operating system (or from a Windows-based client that does not accept
downloadable files), the Java-enabled Universal Viewer launches
automatically. There is nothing the user needs to do to select the
appropriate Viewer - our technology will automatically detect the client
computer's operating system and launch the appropriate Viewer. "

Any other holes I missed?

I see a review of many companies policies coming up.

Adam Safier


--__--__--

Message: 6
To: <vpn at lists.shmoo.com>
From: jmondaca at entelsa.entelnet.bo
Date: Wed, 16 Apr 2003 14:38:21 -0400
Subject: [VPN] Multiple VPN connections PIX





Is there any way to configure multiple simultaneously VPN connections only
using cisco PIX. If not what other solution are available ?

Regards,

_______________________________________
Jorge Mondaca
Gerencia Seguridad Corporativa
(591) 2-2313030 ext 2021
(591) 72029832



--__--__--

Message: 7
Date: Wed, 16 Apr 2003 12:49:44 -0700 (PDT)
From: Jac <jac_des_vert at yahoo.com>
Subject: RE: [VPN] IPSEC or PPTP over Nextel Packetstream Gold
To: Jim Atherton <jim.atherton at netifice.com>,
	"'hakan.palm at generic.se'" <hakan.palm at generic.se>
Cc: vpn at lists.shmoo.com

Are you stuck with the VPN 3000? My understanding
Nextel is currently testing Nortel Contivity platform
for their mobile VPN offering. Should be available in
Q4. I know they have a wireless IPSec client that may
give you the solution you need.

Maybe you can ask about that and see what they are
offering.

Jac




--- Jim Atherton <jim.atherton at netifice.com> wrote:
> Guess I need to be a little more clear. We use the
> VPN 3000 concentrator. I
> have a laptop. I need to connect to my work
> environment with my laptop over
> some mobile (moving) method. I have the VPN 3000
> software client on my PC
> and Windows 2000 PPTP (which the VPN 3000 also will
> allow as a client). I
> have a Nextel phone. I noticed that Nextel has a
> mobile connectivity
> solution (Packetstream gold) and tried about 6
> months ago to make it work.
> It didn't. There is an old thread somewhere on this
> server that states that
> Motorola's compression hardware used by Nextel did
> not support IPSEC
> compression (this was during the summer of 2002) but
> that it would in late
> 2002. I am trying to find info about whether or not
> it does now (Nextel has
> no clue and noone at Nextel (that I can reach) knows
> anything about the
> technical details of this product Packetstream Gold.
> Also would accept
> alternative cost effective methods (have to approach
> at least 28.8 speeds).
> This is an interesting area that noone seems to have
> a clue about. Since my
> company resells various VPN solutions nationwide, I
> have a feeling at least
> of the potential for this as a product and am a
> little surprised that noone
> has filled this gap.
> 
> -----Original Message-----
> From: hakan.palm at generic.se
> [mailto:hakan.palm at generic.se]
> Sent: Tuesday, April 15, 2003 5:08 PM
> To: jim.atherton at netifice.com
> Cc: vpn at lists.shmoo.com
> Subject: Ang: [VPN] IPSEC or PPTP over Nextel
> Packetstream Gold
> 
> 
> Jim,
> 
> are you trying to connect to a  Cisco VPN 3002
> Hardware
> Client with another client?
> If so, the simple answer is as far as I know, no you
> can not
> terminate the VPN tunnel from another client like
> the Cisco
> VPN Client at the VPN 3002. Simply because the Cisco
> VPN 3002 is a hardware client and not a
> concentrator.
> 
> For a mobile solution the VPN 3000 Concentrator
> range i
> IMNHO really nice to work with and well suited. You
> can
> use the Cisco VPN Client on a laptop running all but
> the
> archaic versions of Windows, Mac OS X, Linux...
> There are
> 3rd party support for older Mac OS, Symbian, Pocket
> PC
> and PalmOS.
> 
> HTH
> 
> Regards,
> /Palm
> 
> 
> 
> 
> 	jim.atherton at netifice.com
> 2003-04-15 20:35
> 		
> 	Till:	vpn at lists.shmoo.com @ INTERNET
> 	Kopia:	(Blank: Hakan Palm/Generic)
> 	Ärende:	[VPN] IPSEC or PPTP over Nextel
> Packetstream Gold
> 
> I need a mobile connectivity solution that supports
> either (I would like
> both and prefer IPSEC) IPSEC (Specifically Cisco VPN
> client 3.5.x or later)
> or PPTP (via Windows 2000 native PPTP). I need to
> connect to a Cisco VPN
> 3000 hardware client. I looked into this last year
> and actually tested with
> Nextel and neither worked and the guys at Nextel
> didn't know why. I ran
> across an old mail archive here that said that the
> compression used by
> Nextel Packetstream Gold used a compression
> technology that precluded use of
> IPSEC and that this would change sometime in the
> last quarter of 2002. Does
> anyone have any info about the current or near term
> status of this product?
> My company sells a set of VPN products and services
> and a useful mobile
> wireless VPN solution is needed. Before Richocet
> crashed we did some stuff
> with them. But since then we have had no wireless
> mobile solution. If there
> are any other cost effective mobile wireless
> solutions out there I would
> like to know. Personally, I need connectivity via my
> laptop and a can accept
> speeds of around 28.8 (true speed) but would like
> higher speeds. Lower, more
> expensive solutions are not currently acceptable. I
> cannot for instance use
> some sort of high speed satellite connection due to
> cost.
> 
> Thanks for any info.
> 
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
> 
> 
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn


__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com

--__--__--

Message: 8
From: "safieradam" <safieradam at hotmail.com>
To: <vpn at lists.shmoo.com>
Subject: Re: [VPN] Clientless VPN
Date: Wed, 16 Apr 2003 17:16:23 -0400

Corrections:

"URL content filtering" was meant to be "URL scanning and web page
content filtering".  i.e. block encrypted web page content.

"At least our firewall policy needs review" was supposed to be "At least
_your_ firewall policy needs review".

RG pointed out that there was a thread on the topic a while back.  My quick
review shows that the common solution was to block the GoToMyPC servers.
While that may work for now because the GoToMyPC folks are nice enough to
maintain a single server farm, it leaves a network open to variations /
competitors, like http://www.htthost.com.   Hackers have used tunneling for
a long time so it's not just web pages and http.  The only real solution I
see is to prohibit encrypted application content in high level policy and
actually block encrypted application content in your perimiter defense or
proxy server.  Adds a nice bit of overhead.  At least content filtering is
not a new concept and vendors exist.

Adam Safier

----- Original Message -----
From: "safieradam" <safieradam at hotmail.com>
To: <vpn at lists.shmoo.com>
Sent: Wednesday, April 16, 2003 12:10 PM
Subject: [VPN] Clientless VPN


> I'm raising the specter of clientless VPN again because I came across this
> service which seems to meet the requirements:
>
> I do consider this a form of VPN.  They may only be transmitting the
screen
> image, essentially pcAnywhere like, but the functionality of getting the
> work done is there.
>
> They download the client as a java app so the user does not need to do
> special installation.  Instead, it keeps polling a service server so the
> initial connection is outbound.
>
> Despite my security issues with it this is very attractive.  Even has PDA,
> Mac and Unix support....
>
> https://www.gotomypc.com
>
> Security issues:
>
> Password user authentication only.  I assume this will change as the
service
> evolves. On the positive side, they do seem to use digital signatures on
the
> target - " multiple passwords, including an access code that resides on
the
> host computer and is never transmitted or stored on GoToMyPC servers ".
>
> They advertise/encourage using Kiosk PC's for the client.  If you are
using
> someone else's PC you cannot be sure key-stroke/screen/memory logging is
not
> going on so your personal passwords could be captured.  A PC/PDA you
control
> is better as long as you didn't execute some malware along the line.
>
> - You trust the service / software. You are downloading their Java applet,
> which could change anytime.  You are essentially trusting them to encrypt
> the link from the client to the host and not peek.  Well, the company
trusts
> the VPN admin for the company VPN so if you have a contract with GoTo...
> That is what security is all about - who do you trust and for what?
>
> - Can bypasses firewall.  At least our firewall policy needs review and th
is
> could be a headache.  Both the client and the "target" initiate outbound
> connections to a third party service.  If you company policy allows
outbound
> surfing to just about any address your users could set this up to or from
> their office PC without your knowledge.  You may need to implement IP and
> DNS name filtering for outbound traffic.  That will only work if GoToMyPC
> play nice and don't get into rotating names and addresses or sell the
server
> part to companies that use their own IP addresses to set up a corporate
> service.  URL content filtering on outbound traffic might work.
>
> - Does the phrase below mean that if your policy is to disabled all
> downloading on the users PC GoToMyPC launch their own program that ignores
> the browser and downloads and runs a Java app?
> " For a user who connects to the host computer via a client with a Mac or
> Unix operating system (or from a Windows-based client that does not accept
> downloadable files), the Java-enabled Universal Viewer launches
> automatically. There is nothing the user needs to do to select the
> appropriate Viewer - our technology will automatically detect the client
> computer's operating system and launch the appropriate Viewer. "
>
> Any other holes I missed?
>
> I see a review of many companies policies coming up.
>
> Adam Safier
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>


--__--__--

_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn


End of VPN Digest
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Greg Owens Jr (greg.l.owens at verizon.net).vcf
Type: text/x-vcard
Size: 245 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20030417/dd80c945/attachment.vcf 


More information about the VPN mailing list