From losttoy2000 at yahoo.co.uk Mon Feb 3 01:26:44 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Mon, 3 Feb 2003 06:26:44 +0000 (GMT) Subject: [VPN] IPsec and IKE in an dynamic NAT environment In-Reply-To: <24EA9B0638C2AD448F3C2E95E3209ECF072946@shrdc1.biodata.com> Message-ID: <20030203062644.67736.qmail@web12706.mail.yahoo.com> You might really not need NAT Traversal. If your IPSec SA is only ESP then NAT between the VPN gateway and clients should work. However, if you using AH or AH+ESP then NAT poses a problem which can be overcome by using NAT Traversal. The feature must be supported, both in the VPN Gateway as well as the VPN Client. What VPN device are you using? --- Nicolas Saurbier wrote: > Hi All, > > this is the first time, I post into this list, so > "Hi everybody!!!" > > Now I need a little help: > > Situation: > I have a VPN-Gateway with an official IP-address > attached directly > to the internet. I have a Router that does ISDN > dial-up to my ISP. > The Router doesn?t get a fixed IP-address. The > Router is doing > Masquerading (192.168.0.0/24 => x.x.x.x/32) > > How it should work: > The users in my 192.168.0.0/24 network shall use > Software IPsec-clients, > I chose "SSH Sentinel 1.4". My problem is, that the > IKE is working fine, > but the VPN-Gateway denies all incoming esp-packets > and sends back an > ICMP-packet "Proto 50 unreachable" > > SSH Sentinel has got an option called "NAT > traversel"....did any1 of you > ever work with SSH Sentinel??? Any1 of you doing the > same as me? > > NIC > > > > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com From losttoy2000 at yahoo.co.uk Mon Feb 3 01:31:42 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Mon, 3 Feb 2003 06:31:42 +0000 (GMT) Subject: [VPN] Cisco Concentrator Timeout for Windows XP VPN client In-Reply-To: <3E3956F8.2080104@ecmwf.int> Message-ID: <20030203063142.91269.qmail@web12707.mail.yahoo.com> Put a sniffer on the Win XP clients and see if the client keeps sending some packets to the remote network even while the user is idling. Something like a NetBIOS broadcast which might be keeping the SA/tunnel alive. --- Ahmed Benallegue wrote: > Hi, > > I am configuring a Cisco Concentrator. I kept the > default timeout > configuration (the tunnel is stopped after 30 > minutes of no communication). > This works ok with Windows 2000 clients but il seems > that it doesn't > stop the VPN connection established from Win XP > clients... Is this a > know problem and what should I do to fix it? > > Thanx. > > Ahmed > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com From losttoy2000 at yahoo.co.uk Mon Feb 3 01:36:21 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Mon, 3 Feb 2003 06:36:21 +0000 (GMT) Subject: [VPN] KAME and XAUTH In-Reply-To: <20030131000301.F12698-100000@sisyphus.iocaine.com> Message-ID: <20030203063621.92296.qmail@web12707.mail.yahoo.com> >From http://www.kame.net/racoon/ What is planning ? ipsec WG is working out the new version of the key management protocol because IKE has security issues. There are some candidates as Son-of-IKE(SOI) for example, JFK(Just Fast Keying) or IKE v2. We are following them and we are going to implement one of them. some vendors have implemented XAUTH and ike-mode-cfg. we don't have any plan to implement both of them because they are not the internet standard. Looks like we will have to wait for IKEv2. --- Tina Bird wrote: > Hi all -- > > Any KAME or raccoon developers out there? Are there > plans for support of > XAUTH any time soon? I checked this URL > > http://orange.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION?rev=1.325 > > and various and sundry other bits of www.kame.net > but didn't see > references to XAUTH anywhere. > > thanks for any info -- tbird > > -- > I, on the other hand, do not work. I enjoy the > slothful life of an artist, > and while away the hours in meaningless aesthetic > pursuits punctuated by > bouts of hedonistic debauchery and an occasional > nap. > -- > David Rinehart > > http://www.shmoo.com/~tbird > Log Analysis http://www.loganalysis.org > VPN http://vpn.shmoo.com > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com From losttoy2000 at yahoo.co.uk Mon Feb 3 01:41:00 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Mon, 3 Feb 2003 06:41:00 +0000 (GMT) Subject: [VPN] sonicwall - Ike Proposal not accepted In-Reply-To: Message-ID: <20030203064100.73448.qmail@web12701.mail.yahoo.com> If the IPSec proposal is not accepted, check what you have configured on the client? Is it the same as on the Sonicwall box? Things like IKE proposal (DES/3DES, MD5/SHA, DH-1/DH-2) and tunnel proposal (AH/ESP, DES/3DES, MD5/SHA). --- P PRABHU wrote: > > > > > Dear All > > Well and wish the same. I have configured win2k > vpn client to connect to > our > Sonicwall Pro 200 box. Both sides static I.P is > there. While analysing the > log it is found that it tries to establish the > connection but gives IpSec > Proposal not acceptable. Can you pls help me out > in this case. > > Regards > P.Prabhu > > > > > > _________________________________________________________________ > Help STOP SPAM with the new MSN 8 and get 2 months > FREE* > http://join.msn.com/?page=features/junkmail > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com From losttoy2000 at yahoo.co.uk Mon Feb 3 01:59:11 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Mon, 3 Feb 2003 06:59:11 +0000 (GMT) Subject: [VPN] Connecting two offices question In-Reply-To: <002101c2c913$0e940b20$7700000a@dzo.com> Message-ID: <20030203065911.71208.qmail@web12706.mail.yahoo.com> Here is what Cisco thinks will save your day (and your job ;-) ) You can use the Cisco Hardware client at your satellite office or even a small PIX 501/506 firewall and create a hub-spoke architecture, making of the offices your hub and the rest as spokes. This allows hub-spoke communication as well as spoke-spoke communication. All this works even if your satellite/spoke sites do not have static IP addresses (DSL or ISDN dial up). The following example shows hub-spoke configuration using Cisco routers but you can easily modify this for PIXes. http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_example09186a0080093dc8.shtml Cisco also has to interesting features for satellite office connectivity and communication between them: Network Extension mode and Reverse Route Injection. RRI is only available in the concentrator series. http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094a86.shtml --- Nicholas Irving wrote: > Hi all, > I have two offices that I currently have connected > by 2 Cisco PIX 515UR > using the VPN functionality. > They are using public IP addresses to communicate, > but I would like to make > the satellite office part of our main office > network, ie. 10.0.0.x so that > that they don't have to use public ip's address for > communicating. > > I would still like them to use the connectvity they > have for all normal > Internet traffic, except that of the private network > that should go over the > VPN. > > The reason for this is that I would like them to > show up in our Network > Neighbour hood, use our central 2000 server and have > access to all the other > resources on our network. > > Any ideas would be appreciated. > > Nicholas Irving > nirving at casinoreality.com > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com From nharel at nettech-services.net Mon Feb 3 11:11:33 2003 From: nharel at nettech-services.net (Nate Harel) Date: Mon, 03 Feb 2003 11:11:33 -0500 Subject: [VPN] Where is my network? Message-ID: <4.2.0.58.20030203104017.00faccb0@mail.nettech-services.net> Hi all, Forgive my question if it is silly, but I am a relative novice in VPN and have run into a bind I can't seem to resolve. Let me set up the scenario: I have two small offices set up with a local network and router each. Office "A" has 3 Win2K machines and a Netgear router on a workgroup (called MyNet) internal network 192.168.0.x Office "B" has a similar setup, with Win2K and WinXP machines, a Netgear router and a workgroup (also called MyNet) internal network 192.168.1.x. I set up a VPN outgoing connection (using the Microsoft VPN connections - PPTP) from B's WinXP machine to A with A generating the address for the incoming VPN connection to 192.168.0.100. All was working well in that B connected to A and was able to transfer files etc. I was never able to "see" the A network from B, but I could map a drive to A's machine. So that was OK. I then experimented with the following. I changed B's network address to be 192.168.0.x. I made sure that no addresses overlapped so each was unique between the two locations. I was then able to "see" network A with all its computers from the WinXP machine on network B. Yay!!! But now I can't see the internal B network at all. Doesn't even see itself on the network. If I disconnect the VPN connection and click on Network Neighborhood, I get an error message "Network B is not accessible. You might not have permission to use this network resource... The list of servers for this workgroup is not currently available." I tried flushing DNS, turned off the VPN, uninstalled the TCP and reinstalled. Nothing works. I can't even ping one of the local machines. What did I do wrong? and why is it that I can see the remote network but can't see the local one? I have Netbios over TCP enabled, I am experimenting with LMHOST, but not sure why I would need it for local machines. HELP!!! ---------------------------------- Nate Harel NetTech Services 56 Pickering Street Needham, MA 02492-3198 Tel: 1-781-559-8176 Toll Free: 1-877-567-8936 FAX: 1-877-567-8936 Email: nharel at nettech-services.net www.nettech-services.net www.OnlineRemoteBackup.com www.VirtualOfficePhone.com www.nettech-hosting.com ---------------------------------- From shannong at texas.net Mon Feb 3 14:15:48 2003 From: shannong at texas.net (shannong) Date: Mon, 3 Feb 2003 13:15:48 -0600 Subject: [VPN] Cisco Concentrator Timeout for Windows XP VPN client In-Reply-To: <3E3956F8.2080104@ecmwf.int> Message-ID: <002301c2cbb8$a96206f0$0101a8c0@asteroid> I have found that Windows 2k/XP clients on a VPN tunnel that connect them to an AD domain are very chatty and seldom quiet long enough to cause inactivity timeouts. -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of Ahmed Benallegue Sent: Thursday, January 30, 2003 10:47 AM To: vpn at lists.shmoo.com Subject: [VPN] Cisco Concentrator Timeout for Windows XP VPN client Hi, I am configuring a Cisco Concentrator. I kept the default timeout configuration (the tunnel is stopped after 30 minutes of no communication). This works ok with Windows 2000 clients but il seems that it doesn't stop the VPN connection established from Win XP clients... Is this a know problem and what should I do to fix it? Thanx. Ahmed _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From Robert.Lackey at LOSANGELES.AF.MIL Mon Feb 3 16:29:54 2003 From: Robert.Lackey at LOSANGELES.AF.MIL (Lackey Robert W Contr 61 CS/SCBN) Date: Mon, 3 Feb 2003 13:29:54 -0800 Subject: [VPN] Cisco VPN3000 - VPN client and ACS Radius - Message-ID: <29F6FAF7F2C0D41190980002A513591E045ED973@FSNSAB30> I am setting up a VPN 3030 using the Cisco client and ACS. I am not getting and password expiring warnings at the client and I am never prompted for a -Old password - new password when ID expires. Are there issues with the client passing these to the ACS radius and visa-versa?. If so are there any work arounds? This seems such a basic functionality to not be working in a product line of this size. From elijah_savage at reyrey.com Mon Feb 3 22:16:42 2003 From: elijah_savage at reyrey.com (Savage, Elijah) Date: Mon, 3 Feb 2003 22:16:42 -0500 Subject: [VPN] Cisco VPN3000 - VPN client and ACS Radius - Message-ID: <2A8D23EAFB17D511A8A400105AA3534006C6CF3C@oh15ex07.reyrey.com> No there is nothing wrong, I am load balancing multiple vpn concentrators and you will not get the expiration messages. Cisco has that planed for an future release, but you can change your passwords. On the concentrator make sure you have radius with expiry for the group. This should do it need any more help let me know. -----Original Message----- From: Lackey Robert W Contr 61 CS/SCBN [mailto:Robert.Lackey at LOSANGELES.AF.MIL] Sent: Monday, February 03, 2003 4:30 PM To: 'vpn at lists.shmoo.com' Subject: [VPN] Cisco VPN3000 - VPN client and ACS Radius - I am setting up a VPN 3030 using the Cisco client and ACS. I am not getting and password expiring warnings at the client and I am never prompted for a -Old password - new password when ID expires. Are there issues with the client passing these to the ACS radius and visa-versa?. If so are there any work arounds? This seems such a basic functionality to not be working in a product line of this size. _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From elijah_savage at reyrey.com Mon Feb 3 22:23:37 2003 From: elijah_savage at reyrey.com (Savage, Elijah) Date: Mon, 3 Feb 2003 22:23:37 -0500 Subject: [VPN] Cisco Concentrator Timeout for Windows XP VPN client Message-ID: <2A8D23EAFB17D511A8A400105AA3534006C6CF3F@oh15ex07.reyrey.com> You are going to find yourself on a witch hunt here, I went through this for months. Using Microsoft products they are just to chatty. Then you will have saavy users get around it, mainly by just opening up outlook on the desktop communicating with the server. Or with IM programs all types of things. If anyone has successfully implemented this please let me know. -----Original Message----- From: shannong [mailto:shannong at texas.net] Sent: Monday, February 03, 2003 2:16 PM To: 'Ahmed Benallegue'; vpn at lists.shmoo.com Subject: RE: [VPN] Cisco Concentrator Timeout for Windows XP VPN client I have found that Windows 2k/XP clients on a VPN tunnel that connect them to an AD domain are very chatty and seldom quiet long enough to cause inactivity timeouts. -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of Ahmed Benallegue Sent: Thursday, January 30, 2003 10:47 AM To: vpn at lists.shmoo.com Subject: [VPN] Cisco Concentrator Timeout for Windows XP VPN client Hi, I am configuring a Cisco Concentrator. I kept the default timeout configuration (the tunnel is stopped after 30 minutes of no communication). This works ok with Windows 2000 clients but il seems that it doesn't stop the VPN connection established from Win XP clients... Is this a know problem and what should I do to fix it? Thanx. Ahmed _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From listuser at myrealbox.com Tue Feb 4 03:22:30 2003 From: listuser at myrealbox.com (listuser) Date: Tue, 04 Feb 2003 14:12:30 +0550 Subject: [VPN] Using PAP auth with MS VPN adapter in Win 98/DUN-1.4 Message-ID: <1044348150.aa793360listuser@myrealbox.com> Hi all, This may be slightly off topic, but I have searched far and wide and still did not get any reply to this :( I want to setup a pptp vpn between my win98 system and a linux vpn server running poptop. The server part is running fine and I am able to successfully logon to the vpn from XP and NT systems, using pap auth. But I am not able to connect from 98 with DUN 1.4. The reason being default auth scheme for 98 is chap and the server accepts only pap, atleast that is what I get from the poptop logs. So How can I enable PAP in Win98 VPN Adapter? MS docs says that the DUN-1.4 supports PAP, (url: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsnetserver/proddocs/server/sag_RASS_clients_VPN.asp) but I am unable to find out how to enanble it. Any help here will be much appreciated! raj From ronald.tan at schroders.com Tue Feb 4 20:17:23 2003 From: ronald.tan at schroders.com (Tan, Ronald) Date: Wed, 5 Feb 2003 01:17:23 -0000 Subject: [VPN] Technical advise on VPN connection between FW1 & Sidewinder. Message-ID: Hi, I need some assistance in setting up a VPN connection between FW1 and Sidewinder. Please let me know if you have any advise. Thanks, Ronald. __________________________________________________________________ This message might contain confidential information. If it has been sent to you in error please do not forward it or copy it or act upon its contents, but report it to postmaster at schroders.com Schroders has the right lawfully to record, monitor and inspect messages between its employees and any third party. Your messages shall be subject to such lawful supervision as Schroders deems to be necessary in order to protect its information, its interests and its reputation. Schroders prohibits and takes steps to prevent its information systems from being used to view, store or forward offensive or discriminatory material. If this message contains such material please report it to abuse at schroders.com Schroders does not normally accept or offer business instructions via email. Any action that you might take upon this message might be at your own risk. From nharel at nettech-services.net Tue Feb 4 13:47:30 2003 From: nharel at nettech-services.net (Nate Harel) Date: Tue, 04 Feb 2003 13:47:30 -0500 Subject: [VPN] Where is my network? Message-ID: <4.2.0.58.20030204134720.00f889e0@mail.nettech-services.net> Hi all, Forgive my question if it is silly, but I am a relative novice in VPN and have run into a bind I can't seem to resolve. Let me set up the scenario: I have two small offices set up with a local network and router each. Office "A" has 3 Win2K machines and a Netgear router on a workgroup (called MyNet) internal network 192.168.0.x Office "B" has a similar setup, with Win2K and WinXP machines, a Netgear router and a workgroup (also called MyNet) internal network 192.168.1.x. I set up a VPN outgoing connection (using the Microsoft VPN connections - PPTP) from B's WinXP machine to A with A generating the address for the incoming VPN connection to 192.168.0.100. All was working well in that B connected to A and was able to transfer files etc. I was never able to "see" the A network from B, but I could map a drive to A's machine. So that was OK. I then experimented with the following. I changed B's network address to be 192.168.0.x. I made sure that no addresses overlapped so each was unique between the two locations. I was then able to "see" network A with all its computers from the WinXP machine on network B. Yay!!! But now I can't see the internal B network at all. Doesn't even see itself on the network. If I disconnect the VPN connection and click on Network Neighborhood, I get an error message "Network B is not accessible. You might not have permission to use this network resource... The list of servers for this workgroup is not currently available." I tried flushing DNS, turned off the VPN, uninstalled the TCP and reinstalled. Nothing works. I can't even ping one of the local machines. What did I do wrong? and why is it that I can see the remote network but can't see the local one? I have Netbios over TCP enabled, I am experimenting with LMHOST, but not sure why I would need it for local machines. HELP!!! ---------------------------------- Nate Harel NetTech Services 56 Pickering Street Needham, MA 02492-3198 Tel: 1-781-559-8176 Toll Free: 1-877-567-8936 FAX: 1-877-567-8936 Email: nharel at nettech-services.net www.nettech-services.net www.OnlineRemoteBackup.com www.VirtualOfficePhone.com www.nettech-hosting.com ---------------------------------- From 079928 at exchange.win.lanl.gov Wed Feb 5 09:57:11 2003 From: 079928 at exchange.win.lanl.gov (William D McNeese) Date: Wed, 5 Feb 2003 07:57:11 -0700 Subject: [VPN] Where is my network? Message-ID: <915A680EE4904E4489C38269D5167EBA8F34@exchange01.lanl.gov> The two routers involved "block" the broadcasts that are necessary for the NetBIOS broadcasts to propagate between the two networks, therefore "clicking on network neighborhood" will be un-reliable at best and incomplete all the time. The real issue here is name resolution across multiple subnets (the subnets are essentially defined by the router placement). One critical question would be "are these machines members of a common domain, or are they in work groups?" If they are in workgroups I'm not sure how the issue can be resolved easily. If they are in a domain (NT VS WIN2K) there are some solutions. If they are in workgroups, the lmhosts file may be your best answer, however there are some syntactical issues to be aware of. An lmhosts file is read upon boot and when needed for name resolution. It isn't read when you double click on network neighborhood. To get the machines to appear in network neighborhood you need to use the #PRE extension in the lmhosts syntax. For example: 192.168.0.1 mymachinename #PRE 192.168.0.2 mynextmachine #PRE This will pre load the information into the NetBIOS name cache upon boot. Make sure you have checked the box that indicates you want to use an lmhosts file. Some other syntactical issues. The #PRE is case sensitive. There must be at least 1 space between the parameters on a line (it can be a tab or multiple spaces). There must be a carriage return, line feed at the end of the last entry. Since the #PRE entries only get read upon boot, you either need to reboot after making a change to the lmhosts file or issue the command nbtstat -R (the R is case sensitive). This should purge and reload the NetBIOS name cache. Keep in mind that Microsoft is trying to get rid of NetBIOS (this is why it is so hard to find network neighborhood on XP). XP still supports it, however some of these steps may be a little more difficult to implement on XP (for example I'm not sure where the "Use lmhosts" option is). Let me know if this helps! -----Original Message----- From: Nate Harel [mailto:nharel at nettech-services.net] Sent: Tuesday, February 04, 2003 11:48 AM To: vpn at lists.shmoo.com Subject: [VPN] Where is my network? Hi all, Forgive my question if it is silly, but I am a relative novice in VPN and have run into a bind I can't seem to resolve. Let me set up the scenario: I have two small offices set up with a local network and router each. Office "A" has 3 Win2K machines and a Netgear router on a workgroup (called MyNet) internal network 192.168.0.x Office "B" has a similar setup, with Win2K and WinXP machines, a Netgear router and a workgroup (also called MyNet) internal network 192.168.1.x. I set up a VPN outgoing connection (using the Microsoft VPN connections - PPTP) from B's WinXP machine to A with A generating the address for the incoming VPN connection to 192.168.0.100. All was working well in that B connected to A and was able to transfer files etc. I was never able to "see" the A network from B, but I could map a drive to A's machine. So that was OK. I then experimented with the following. I changed B's network address to be 192.168.0.x. I made sure that no addresses overlapped so each was unique between the two locations. I was then able to "see" network A with all its computers from the WinXP machine on network B. Yay!!! But now I can't see the internal B network at all. Doesn't even see itself on the network. If I disconnect the VPN connection and click on Network Neighborhood, I get an error message "Network B is not accessible. You might not have permission to use this network resource... The list of servers for this workgroup is not currently available." I tried flushing DNS, turned off the VPN, uninstalled the TCP and reinstalled. Nothing works. I can't even ping one of the local machines. What did I do wrong? and why is it that I can see the remote network but can't see the local one? I have Netbios over TCP enabled, I am experimenting with LMHOST, but not sure why I would need it for local machines. HELP!!! ---------------------------------- Nate Harel NetTech Services 56 Pickering Street Needham, MA 02492-3198 Tel: 1-781-559-8176 Toll Free: 1-877-567-8936 FAX: 1-877-567-8936 Email: nharel at nettech-services.net www.nettech-services.net www.OnlineRemoteBackup.com www.VirtualOfficePhone.com www.nettech-hosting.com ---------------------------------- _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From toonman at madasafish.com Wed Feb 5 12:09:10 2003 From: toonman at madasafish.com (The Toonman) Date: Wed, 5 Feb 2003 17:09:10 -0000 Subject: [VPN] Raptor Mobile and Drive Image? Message-ID: <002c01c2cd39$4d3fec20$68ac26d4@timmy> Hi there, I was wondering if anyone has experienced a problem between Raptor Mobile and PowerQuest Drive Image? I use raptor to connect to my office network as I work from home on my own PC. I also use Drive Image to make periodic backup images of my C drive.. Previously when I have restored images Raptor mobile has worked just fine. However, I have noticed that if I use Drive Image to copy my C drive from one HD to another (as I recently had to do due to a drive failure) Raptor mobile fails to connect. The log file shows it trying to connect and then immediatly failing, as if there was no internet connection. To get it sworking again I had to restore a saved image that was taken just before the drive copy. I'd like to add that everything was working perfectly before the drive copy. This has happened twice now, both times after copying my boot partition form one drive to another.Its very strange Has anyone else experienced anything like this? Rob Sharp From tbird at precision-guesswork.com Thu Feb 6 02:00:12 2003 From: tbird at precision-guesswork.com (Tina Bird) Date: Thu, 6 Feb 2003 07:00:12 +0000 (GMT) Subject: [VPN] SSL "VPNs" Message-ID: <20030206065434.G56496-100000@sisyphus.iocaine.com> My sense of morbid curiosity got the best of me this afternoon, so I've gone through the Web sites of three vendors who provide SSL-based remote access. The general idea for each of these is that SSL is used to create a proxy connection between a remote machine and an internal application of some sort. This is sold as being more convenient and less expensive (in terms of support and software) than a "traditional" VPN solution because SSL is ubiquitous, available to any client independently of operating system cos' it's implemented in Web browsers. Alas, it's not this simple. A traditional Web browser presents HTTP and SSL data (and maybe FTP and gopher) to a client. Web browsers do >not< normally intercept network calls from non-Web applications (like Outlook, or a database app). In order to provide access to other, non-Web protocols (like our favorites, the Microsoft networking protocols, or an email server), the SSL-based systems have to create a mechanism for intercepting those network requests. This is typically done via a Java applet downloaded to the remote machine when it connects to the SSL VPN server; or via a client application that must be specifically loaded onto the remote machine. But as soon as either of these client-side apps are required, you lose the advantage of the SSL VPN in the first place -- you're managing software on the client side. Java doesn't help -- most of the support people I know who deal with mixed Windows/Mac/UNIX environments constantly struggle with inconsistencies in Java implementations. The only applications that any of the SSL VPN vendors claim to be able to secure without any code being loaded on a remote client are >>Web-based applications<<. Uh, hey, wait a minute -- I can turn on SSL on my Web-based application servers and do that myself. [In case it's not >>perfectly<< clear by now, I wasn't terribly impressed by any of these solutions!] Details below for specific comments and questions on the three vendors I "reviewed." My requirements for the solution are: it must be able to support arbitrary custom database applications; it has to do granular user based access control (they all satisfied that requirement); it must contain the equivalent of "no split tunneling" or some other mechanism for defending against piggy back attacks (none of them did that). Neoteris http://www.neoteris.com 1) tbird's favorite bit of clueless marketing speak from web site: "Since the IVE provides a robust security layer between the public Internet and internal resources, administrators don't need to constantly manage security policies and patch security vulnerabilities for numerous different application and Web servers deployed in the public-facing DMZ." ---> I'm going to buy a security product from a company that thinks I don't have to patch my servers if I use their gear???? 2) Implication from their architecture high-level overview is that a "protocol connector" is required on the SSL VPN server to communicate with internal applications (the equiv in firewall terms of an application proxy). There are not going to be protocol connectors for custom applications. They specifically mention protocol connectors >for< MS Terminal services, MS Exchange, Lotus Notes, SMTP (may also include IMAP and POP, it wasn't clear), VT100 and 3270 apps, documents on file servers, Web-based enterprise apps, and *ooh* Intranet Web pages. 3) Claims that Java-based application proxy can be used to connect to proprietary client-server apps -- but see caveat above; once we're dependent on Java we get into a multitude of support issues. And anyhow, they don't clarify exactly what "proprietary client-server apps" means. 4) On the plus side, they seem to do very good system logging -- they specifically mention that they log administrative changes as well as user activity, which is rare and very pleasant. Aventail http://www.aventail.com 1) Three remote access methods: browser-based allows access to Web applications and file shares; downloadable applet for client server applications (presumably also Java based); transparent agent for Windows based systems only. Not much more information on Web site. Previous incarnations of Aventail product were TCP-only, not very flexible. Alteon http://www.nortelnetworks.com/alteon 1) tbird's favorite bonehead bit of Web site: http://www.nortelnetworks.com/products/01/alteon/sslvpn/techspec.html which purports to be the product technical specifications, but has no technical specifications and at least one gratuitous grammar error. 2) Like Aventail, offers clientless access mode (for Web applications only); enhanced browser mode (which isn't explained); and device-specific client access mode for access to legacy applications. 3) And boy oh boy was >this< annoying: they discuss all the great things you can do with their device specific client, but they don't tell you what operating systems are supported with their client... 4) Also claims that it supports SSL encrypted connections to internal applications, but this just perplexes me -- surely that only works for internal applications that are SSL aware? None of these vendors claims to address the split tunneling issue; none of them offers convincing evidence that they can route arbitrary IP-based traffic to an internal location, which I believe is a necessity in most environments. So, oh esteemed mailing list, anyone out there use these things? If so, what do you use them for, how do they work? I would love to be able to offer a "simpler" solution than, for instance, IPsec, but I remain unconvinced that this is it. Yours in the quest for more humor in the office -- tbird -- I, on the other hand, do not work. I enjoy the slothful life of an artist, and while away the hours in meaningless aesthetic pursuits punctuated by bouts of hedonistic debauchery and an occasional nap. -- David Rinehart http://www.shmoo.com/~tbird Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com From mspencer at evidentdata.com Thu Feb 6 11:40:54 2003 From: mspencer at evidentdata.com (Mark G. Spencer) Date: Thu, 6 Feb 2003 08:40:54 -0800 Subject: [VPN] Quickest way to create a secure conduit between two Win32 machines? Message-ID: <000701c2cdfe$8550af80$b600000a@alderon> I am looking for a way to quickly and easily encrypt all communications between two machines with the encrypted connection being required. I have looked briefly at Zebedee, F-Secure's SSH server, and MS Technet stuff on PPTP. The configuration on these applications seems to be very complex considering the relatively narrow scope of my task. Any ideas on the best way to encrypt all communications between two Windows 2000 or XP machines? I simply want to wrap VNC or Windows XP's Remote Desktop with Blowfish or pretty much any other robust encryption. If there is a better solution out there than what I have looked at I would definitely appreciate knowing about it! On a side note .. Apparently Remote Desktop uses the same encryption as Terminal Services and Citrix? How secure in practice is this? Thanks, Mark From bet at rahul.net Thu Feb 6 12:30:16 2003 From: bet at rahul.net (Bennett Todd) Date: Thu, 6 Feb 2003 12:30:16 -0500 Subject: [VPN] SSL "VPNs" In-Reply-To: <20030206065434.G56496-100000@sisyphus.iocaine.com> References: <20030206065434.G56496-100000@sisyphus.iocaine.com> Message-ID: <20030206173016.GF1372@rahul.net> I know of two categories of SSL-transported remote access solution, and one of 'em is sometimes (annoyingly, to my tastes) called a "VPN". That would be socks transported over SSL. Aventail does that. Throw a socks shim on the local machine, direct it at the local endpoint of a certificate-authenticated stunnel, and voila, you've got a cheap-n-sleazy VPN. More or less works Ok for some apps, if you like socks. The other SSL-based remote access solution I've seen is actually in my favourite category: thin client. A web browser is trivially an adequate thin client for SSL-based web apps; and there are some approaches (e.g. the Java SSH client, Citrix @Access) that allow downloading a special-purpose client through a web browser for more generic thin client designs. With a bit of care in how things are deployed, you can produce a remote access solution that can allow the use of most apps users end up wanting, from the proverbial internet kiosk or cybercafe. Only tangentially related to VPNs, though, except in the minds of marketers. -Bennett -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20030206/9aa97f79/attachment.pgp From kpasley6 at comcast.net Thu Feb 6 13:00:44 2003 From: kpasley6 at comcast.net (Keith) Date: Thu, 06 Feb 2003 13:00:44 -0500 Subject: [VPN] SSL "VPNs" In-Reply-To: <20030206065434.G56496-100000@sisyphus.iocaine.com> Message-ID: <001201c2ce09$ab8f2db0$6400a8c0@cp531435a> Never mind the vendor marketingspeak. Of course the vendors are make their product the "prettiest" out there. When have they NOT done that? Just make sure you do due diligence in validating vendor claims. Interesting how the VPN market is fragmenting into these types of specialty categories. Certainly, SSL-based VPN is not appropriate as a replacement for every IPSec VPN out there. However, IPSec VPN does have its appropriate place, too. Webmail is, currently, probably the most popular application for a "SSL-based" VPN. What's to prevent some one from subverting a telecommuters webmail session today to, somehow, get into the internal network today? Remote desktop security management tools/techniques. i.e. personal firewall/IDS, desktop a/v, etc.. It could be argued that secure remote access does not come in a box with ANY VPN server product (IPSec included, sorry chkpt and csco). I would not be expecting it from these newer SSl-based box makers either any time soon, either. Most of newer SSL-based VPN folks observed how the earlier generation VPN companies got burned due to poor remote desktop security management capability in their clients, back in the day, and decided not to get into THAT conundrum. There are 3rd party remote access security policy management solutions that enforce desktop security policy on the remote desktop before allowing connections and possibly can be adapted to work with SSL-VPNs.(a 3rd party remote access policy enforcement agent check before establishing the SSL-based VPN connection, etc). At this point in technology development stage it probably a good idea to look at the newer SSL-based as just a piece of the puzzle, from a remote access security architecture perspective. Use a knife for cutting, a fork for eating, hammer for building, SSL-based VPN for y, IPSec for w, MPLS-VPN for z...etc.. You get the idea. I advise that, except in the simplest implementation, a network security assessment and desktop software audit should be conducted to discover what areas of the secured remote access pieces are missing. Anybody who would just install one of these boxes without doing this, will not truly understand, therefore, be able to manage risk involved. Keith -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of Tina Bird Sent: Thursday, February 06, 2003 2:00 AM To: vpn at lists.shmoo.com Subject: [VPN] SSL "VPNs" My sense of morbid curiosity got the best of me this afternoon, so I've gone through the Web sites of three vendors who provide SSL-based remote access. The general idea for each of these is that SSL is used to create a proxy connection between a remote machine and an internal application of some sort. This is sold as being more convenient and less expensive (in terms of support and software) than a "traditional" VPN solution because SSL is ubiquitous, available to any client independently of operating system cos' it's implemented in Web browsers. Alas, it's not this simple. A traditional Web browser presents HTTP and SSL data (and maybe FTP and gopher) to a client. Web browsers do >not< normally intercept network calls from non-Web applications (like Outlook, or a database app). In order to provide access to other, non-Web protocols (like our favorites, the Microsoft networking protocols, or an email server), the SSL-based systems have to create a mechanism for intercepting those network requests. This is typically done via a Java applet downloaded to the remote machine when it connects to the SSL VPN server; or via a client application that must be specifically loaded onto the remote machine. But as soon as either of these client-side apps are required, you lose the advantage of the SSL VPN in the first place -- you're managing software on the client side. Java doesn't help -- most of the support people I know who deal with mixed Windows/Mac/UNIX environments constantly struggle with inconsistencies in Java implementations. The only applications that any of the SSL VPN vendors claim to be able to secure without any code being loaded on a remote client are >>Web-based applications<<. Uh, hey, wait a minute -- I can turn on SSL on my Web-based application servers and do that myself. [In case it's not >>perfectly<< clear by now, I wasn't terribly impressed by any of these solutions!] Details below for specific comments and questions on the three vendors I "reviewed." My requirements for the solution are: it must be able to support arbitrary custom database applications; it has to do granular user based access control (they all satisfied that requirement); it must contain the equivalent of "no split tunneling" or some other mechanism for defending against piggy back attacks (none of them did that). Neoteris http://www.neoteris.com 1) tbird's favorite bit of clueless marketing speak from web site: "Since the IVE provides a robust security layer between the public Internet and internal resources, administrators don't need to constantly manage security policies and patch security vulnerabilities for numerous different application and Web servers deployed in the public-facing DMZ." ---> I'm going to buy a security product from a company that thinks I don't have to patch my servers if I use their gear???? 2) Implication from their architecture high-level overview is that a "protocol connector" is required on the SSL VPN server to communicate with internal applications (the equiv in firewall terms of an application proxy). There are not going to be protocol connectors for custom applications. They specifically mention protocol connectors >for< MS Terminal services, MS Exchange, Lotus Notes, SMTP (may also include IMAP and POP, it wasn't clear), VT100 and 3270 apps, documents on file servers, Web-based enterprise apps, and *ooh* Intranet Web pages. 3) Claims that Java-based application proxy can be used to connect to proprietary client-server apps -- but see caveat above; once we're dependent on Java we get into a multitude of support issues. And anyhow, they don't clarify exactly what "proprietary client-server apps" means. 4) On the plus side, they seem to do very good system logging -- they specifically mention that they log administrative changes as well as user activity, which is rare and very pleasant. Aventail http://www.aventail.com 1) Three remote access methods: browser-based allows access to Web applications and file shares; downloadable applet for client server applications (presumably also Java based); transparent agent for Windows based systems only. Not much more information on Web site. Previous incarnations of Aventail product were TCP-only, not very flexible. Alteon http://www.nortelnetworks.com/alteon 1) tbird's favorite bonehead bit of Web site: http://www.nortelnetworks.com/products/01/alteon/sslvpn/techspec.html which purports to be the product technical specifications, but has no technical specifications and at least one gratuitous grammar error. 2) Like Aventail, offers clientless access mode (for Web applications only); enhanced browser mode (which isn't explained); and device-specific client access mode for access to legacy applications. 3) And boy oh boy was >this< annoying: they discuss all the great things you can do with their device specific client, but they don't tell you what operating systems are supported with their client... 4) Also claims that it supports SSL encrypted connections to internal applications, but this just perplexes me -- surely that only works for internal applications that are SSL aware? None of these vendors claims to address the split tunneling issue; none of them offers convincing evidence that they can route arbitrary IP-based traffic to an internal location, which I believe is a necessity in most environments. So, oh esteemed mailing list, anyone out there use these things? If so, what do you use them for, how do they work? I would love to be able to offer a "simpler" solution than, for instance, IPsec, but I remain unconvinced that this is it. Yours in the quest for more humor in the office -- tbird -- I, on the other hand, do not work. I enjoy the slothful life of an artist, and while away the hours in meaningless aesthetic pursuits punctuated by bouts of hedonistic debauchery and an occasional nap. -- David Rinehart http://www.shmoo.com/~tbird Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From paul at moquijo.com Thu Feb 6 15:24:33 2003 From: paul at moquijo.com (Paul Cardon) Date: Thu, 06 Feb 2003 15:24:33 -0500 Subject: [VPN] SSL "VPNs" References: <20030206065434.G56496-100000@sisyphus.iocaine.com> Message-ID: <3E42C481.40803@moquijo.com> Tina Bird wrote: [SNIP] > Details below for specific comments and questions on the three vendors I > "reviewed." My requirements for the solution are: it must be able to > support arbitrary custom database applications; it has to do granular > user based access control (they all satisfied that requirement); it must > contain the equivalent of "no split tunneling" or some other mechanism > for defending against piggy back attacks (none of them did that). [SNIP] > None of these vendors claims to address the split tunneling issue; none > of them offers convincing evidence that they can route arbitrary > IP-based traffic to an internal location, which I believe is a necessity > in most environments. I work at a Fortune 100 corporation in an industry where security is very important. We have had a lot of interest in SSL "VPNs" because of the perceived ability to deploy without a client. There are two significant issues that resulted in a decision to continue to use a traditional VPN client for thin client remote access. The first was the "no split tunneling" capability. I don't know how this can be done without hooking into the IP stack and I don't know how that can be done with a browser, a Java applet, and a non-admin user account. SSL VPNs really can't enforce or ensure any kind of real client-side security. Sure they could check for certain other software and configuration but that only goes so far and only works in a non-hostile environment. If an SSL VPN is available for use to a large user base it will be used at j-random web cafes, kiosks, conferences etc. It is too easy to use these things in highly hostile locations. The second was that the VPN gateway would have fairly broad access to the WAN and I was not willing to depend on either Apache or IIS to secure that type of access. The SSL VPN products I have seen are built on one or the other. All of our Internet accessible web servers have additional security controls on the back side that restrict what they can communicate with on our internal network. To make VPN access a useful service we can't restrict the backend connectivity like we do with our web apps. Now perhaps some companies who are using this technology understand these risks and have decided they are acceptable but I doubt there are money. When the vendors don't have an answer to either of those questions I would be certain that the majority of their customers aren't asking. The vendor says it's secure so it must be and many purchasers leave it at that. -paul From sbest at best.com Thu Feb 6 17:48:24 2003 From: sbest at best.com (Scott C. Best) Date: Thu, 6 Feb 2003 22:48:24 +0000 (GMT) Subject: [VPN] Quickest way to create a secure conduit between two Win32 machines? In-Reply-To: <000701c2cdfe$8550af80$b600000a@alderon> Message-ID: Mark: Heya. Have you given Kaboodle a try? I wrote it for the "average" Internet user (ie, someone who knows their email address but not their IP address), and it comes predisposed to securely tunnel VNC connections across a LAN. It can also connect LAN's together, of course, but that doesn't seem to be what you're asking. You can find out more about it here: "www.Kaboodle.org". It's at version 0.99 now; there are some loose ends I'm wrapping up for 1.0. If it doesn't suit your needs, please let me know how it sucks so I can fix it. :) cheers, Scott On Thu, 6 Feb 2003, Mark G. Spencer wrote: > I am looking for a way to quickly and easily encrypt all communications > between two machines with the encrypted connection being required. > > I have looked briefly at Zebedee, F-Secure's SSH server, and MS Technet > stuff on PPTP. The configuration on these applications seems to be very > complex considering the relatively narrow scope of my task. > > Any ideas on the best way to encrypt all communications between two Windows > 2000 or XP machines? I simply want to wrap VNC or Windows XP's Remote > Desktop with Blowfish or pretty much any other robust encryption. If there > is a better solution out there than what I have looked at I would definitely > appreciate knowing about it! > > On a side note .. Apparently Remote Desktop uses the same encryption as > Terminal Services and Citrix? How secure in practice is this? > > Thanks, > > Mark > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From jon-pop at tertial.org Fri Feb 7 06:38:50 2003 From: jon-pop at tertial.org (Jon Still) Date: Fri, 7 Feb 2003 11:38:50 +0000 Subject: [VPN] IPSEC Resources Message-ID: Folks, I'm looking for a good book on IPSEC - really just covering the protocols from the ground up, the various modes, transforms etc. Is there any particular tome that you lot can recommend over any other? Failing that, are there any good online resources - sadly a lot of the ones listed on the vpn.shmoo.com website are now dead links :-/ Note - I'm not especially looking for product-specific information here - just information on the protocol suite (preferably including some of the newer stuff like UDP encapsulation), but without having to trawl through the 000s of RFCs - yes, I admit it, I'm lazy :) Cheers, Jon. -- Jon Still E-mail: jon at tertial.org tertial.org Web: http://www.tertial.org/ GPG Key: http://xanthein.net/key.asc Key ID: 0x00493D2B From ADias at visanet.com.br Fri Feb 7 08:44:55 2003 From: ADias at visanet.com.br (Adriano Dias Leite) Date: Fri, 7 Feb 2003 10:44:55 -0300 Subject: [VPN] VPN betweeen simplified mode - traditional mode on Firewall-1 FP3 Message-ID: <85252BC3D0D7D611B7380002A54466AE0151172D@vnetspomail> Hi all, Is it possible to stabilish a VPN between a firewall using the traditional mode and one using the simplified mode?? (Checkpont Firewall -1 FP3, both) I have configured both the same way (phase 1), but i'm not able to make them to communicate... Can anybody help me? Thank you! Adriano Dias adias at visanet.com.br < mailto:adias at visanet.com.br> (11) 3457.2205 (11) 9102-6951 Adriano Dias adias at visanet.com.br (11) 3457.2205 (11) 9102-6951 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030207/e1453a87/attachment.htm From rginski at co.pinellas.fl.us Fri Feb 7 09:57:30 2003 From: rginski at co.pinellas.fl.us (Richard Ginski) Date: Fri, 07 Feb 2003 09:57:30 -0500 Subject: [VPN] SSL "VPNs" Message-ID: Here's a link to a case where an SSL VPN was deployed. When we spoke to Novell we learned that, not only can you access standard Intranet based applications using web servers (similar to what's been discussed here), but they also have capabilities to access user folders and have a form of "terminal services" for interactive access such as Telnet sessions via an SSL-based system. This goes well beyond the initial impression of what SSL VPNs can do. I guess I'm to blame regarding this thread (subject aka IPSEC and Clientless VPN). However, I just can't get comfortable with this level of access being provided without multiple OSI layers of security (such as application layer, system layer, and especially the network layer). I get nervous thinking about giving "carte blanche access" through a firewall to a protected network for this type of solution. http://www.novell.com/success/hillsborough_county_fl.html >>> Paul Cardon 02/06/03 03:24PM >>> Tina Bird wrote: [SNIP] > Details below for specific comments and questions on the three vendors I > "reviewed." My requirements for the solution are: it must be able to > support arbitrary custom database applications; it has to do granular > user based access control (they all satisfied that requirement); it must > contain the equivalent of "no split tunneling" or some other mechanism > for defending against piggy back attacks (none of them did that). [SNIP] > None of these vendors claims to address the split tunneling issue; none > of them offers convincing evidence that they can route arbitrary > IP-based traffic to an internal location, which I believe is a necessity > in most environments. I work at a Fortune 100 corporation in an industry where security is very important. We have had a lot of interest in SSL "VPNs" because of the perceived ability to deploy without a client. There are two significant issues that resulted in a decision to continue to use a traditional VPN client for thin client remote access. The first was the "no split tunneling" capability. I don't know how this can be done without hooking into the IP stack and I don't know how that can be done with a browser, a Java applet, and a non-admin user account. SSL VPNs really can't enforce or ensure any kind of real client-side security. Sure they could check for certain other software and configuration but that only goes so far and only works in a non-hostile environment. If an SSL VPN is available for use to a large user base it will be used at j-random web cafes, kiosks, conferences etc. It is too easy to use these things in highly hostile locations. The second was that the VPN gateway would have fairly broad access to the WAN and I was not willing to depend on either Apache or IIS to secure that type of access. The SSL VPN products I have seen are built on one or the other. All of our Internet accessible web servers have additional security controls on the back side that restrict what they can communicate with on our internal network. To make VPN access a useful service we can't restrict the backend connectivity like we do with our web apps. Now perhaps some companies who are using this technology understand these risks and have decided they are acceptable but I doubt there are money. When the vendors don't have an answer to either of those questions I would be certain that the majority of their customers aren't asking. The vendor says it's secure so it must be and many purchasers leave it at that. -paul _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From paul at moquijo.com Fri Feb 7 10:57:05 2003 From: paul at moquijo.com (Paul Cardon) Date: Fri, 07 Feb 2003 10:57:05 -0500 Subject: [VPN] SSL "VPNs" References: <001201c2ce09$ab8f2db0$6400a8c0@cp531435a> Message-ID: <3E43D751.8040309@moquijo.com> Keith wrote: > There are 3rd party remote access security policy management solutions > that enforce desktop security policy on the remote desktop before > allowing connections and possibly can be adapted to work with > SSL-VPNs.(a 3rd party remote access policy enforcement agent check > before establishing the SSL-based VPN connection, etc). That's great except that now you are back to having to install an agent/client on the remote desktop which is exactly what most people deploying SSL VPNs are trying to avoid. That is the problem. There are fundamental security controls that can't be implemented at the remote desktop without an agent/client. In my opinion that makes SSL VPNs unsuitable for any but very narrow applications with very restricted access to internal network resources. > Webmail is, currently, probably the most popular application for a > "SSL-based" VPN. What's to prevent some one from subverting a > telecommuters webmail session today to, somehow, get into the internal > network today? Remote desktop security management tools/techniques. > i.e. personal firewall/IDS, desktop a/v, etc.. I'm not sure that web mail with or without an SSL VPN is appropriate for some companies. How would you feel about an executive on the planning committee of a top 5 financial institution reading e-mail about a yet to be announced merger/acquisition at an airport web kiosk? The SSL VPN only protects that data in transit. There is nothing to protect it on the web kiosk itself. If that environment is compromised or the operator is hostile, that data is as good as disclosed. -paul From tbird at precision-guesswork.com Fri Feb 7 12:20:50 2003 From: tbird at precision-guesswork.com (Tina Bird) Date: Fri, 7 Feb 2003 17:20:50 +0000 (GMT) Subject: [VPN] IPSEC Resources In-Reply-To: Message-ID: <20030207172013.B29802-100000@sisyphus.iocaine.com> On Fri, 7 Feb 2003, Jon Still wrote: > Failing that, are there any good online resources - sadly a lot of the > ones listed on the vpn.shmoo.com website are now dead links :-/ > oh dear. i shall tidy that up this weekend. sorry, jon...if there are specific ones you're aware of, please send them to me off list. cheers -- tbird -- I, on the other hand, do not work. I enjoy the slothful life of an artist, and while away the hours in meaningless aesthetic pursuits punctuated by bouts of hedonistic debauchery and an occasional nap. -- David Rinehart http://www.shmoo.com/~tbird Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com From Joel.Snyder at Opus1.COM Fri Feb 7 12:46:44 2003 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Fri, 07 Feb 2003 10:46:44 -0700 Subject: [VPN] IPSEC Resources References: Message-ID: <3E43F104.906DE4F5@opus1.com> The best book on the subject continues to be "IPsec: The New Security Standard for ..." Although Harkins and Doraswamy haven't updated it to really discuss all of the difficult remote access issues (like NAT traversal) which folks are solving in quasi-proprietary ways, it is the only lucid and accurate description of the protocols. I am *really* hoping that they get together and update it for IKEv2 if-and-when it ever comes out. Some folks have recommended Tiller's "A technical guide to IPsec VPNs," which is also pretty good. I read it fairly quickly because it came out recently and I wanted to see whether it was good enough to recommend to my students. I think that it is. If you buy either, I also recommend getting the "Big Book of IPsec RFCs." It's got some nice value-add beyond simply printing out the RFCs (which is basically what it is)---there's a cross-RFC index, it's nicely bound, and it's a lot easier to carry around compared to the printouts. If you're like me, you like to annotate & dogear, and on-line versions aren't so good for that... The other good book on VPNs from a technology point of view, although not nearly as accurate or in-depth as the other two, is Yuan & Strayer's "Virtual Private Networks." They have a very different viewpoint, including things like management/SNMP and the like, which is more "the big picture" information. I sometimes recommend that one to folks who don't need to understand the issues of DHG2 versus DHG5 but do need a little technical info to complete their design. As long as I'm blabbing about VPN books... If you want to learn about L2TP, Shea's "L2TP" is the clear classic in the field; everything else discussing L2TP pales in comparison. Similarly, Rescorla's "SSL and TLS" is the landmark on that 'vpn' protocol set. Add to these Schneier's "Applied Cryptography," and you'll have the technical background you need. Without being unkind to other authors of other VPN books, I'd suggest that these titles are the ones to focus on for best use of your time & money. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One Jon Still wrote: > > Folks, > > I'm looking for a good book on IPSEC - really just covering the > protocols from the ground up, the various modes, transforms etc. Is > there any particular tome that you lot can recommend over any other? > > Failing that, are there any good online resources - sadly a lot of the > ones listed on the vpn.shmoo.com website are now dead links :-/ > > Note - I'm not especially looking for product-specific information here > - just information on the protocol suite (preferably including some of > the newer stuff like UDP encapsulation), but without having to trawl > through the 000s of RFCs - yes, I admit it, I'm lazy :) > > Cheers, > Jon. > > -- > Jon Still E-mail: jon at tertial.org > tertial.org Web: http://www.tertial.org/ > GPG Key: http://xanthein.net/key.asc Key ID: 0x00493D2B From BSingh at Nomadix.com Fri Feb 7 12:40:12 2003 From: BSingh at Nomadix.com (BSingh at Nomadix.com) Date: Fri, 7 Feb 2003 09:40:12 -0800 Subject: [VPN] IPsec VPNs incl. modecfg vs. DHCP Message-ID: <89680B404BA1DD419E6D93B28B41899BE9FBBF@01mail.nomadix.com> Posting again due to bad format last time. ------------------------------------------ I have a few clarifications regarding usage of IPsec for VPNs. I have been even going through the thread of Modecfg vs. DHCP and seem a little confused regarding the functionality. - This particular debate of Modecfg vs. DHCP relates only to remote access scenarios or does it extend to address management for site-to-site VPNs. I would distinguish the 2 using the following definitions- One tunnel per machine and address to be given out (whichever way - modecfg or DHCP) at tunnel setup time would be Remote Access. Site-to-site would be that tunnel is setup apriori between 2 gateways and both sides would be different private subnets. Users in site-to-site VPNs get addresses typically from their own subnet's DHCP servers. Please correct me if I am wrong.. - Is it also possible that in a site-to-site VPN the address allocation is handled by only one of the private networks (subnets). i.e.. DHCP is tunneled over to this network from all other private networks and responses tunneled back? Is it a typical setup? Is the discussion of modecfg vs. DHCP relevant in this case? I assume that their might be some routing issues in this setup for tunneling the responses back to the DHCP requesters through the right tunnels. Maybe some state maintenance at the gateways. - Typical IPsec implementations. Most of them are bump in the stack (software ones).. Am I correct? Does it mean that IP routing is the only way to direct traffic into the right tunnels? i.e. destination address based. Are their any implementations that do not follow this paradigm. Any pointers would be helpful. thanks -Bik ---------------------------------------------------------------------------- -------------- Bik Singh 818-575-2518 (Off) Research Scientist 818-597-1502 (Fax) Product Development 31355 Agoura Road Nomadix Westlake Village, CA 91361 From scott at airespace.com Fri Feb 7 16:14:23 2003 From: scott at airespace.com (Scott G. Kelly) Date: Fri, 07 Feb 2003 13:14:23 -0800 Subject: [VPN] Re: IPsec VPNs incl. modecfg vs. DHCP References: <89680B404BA1DD419E6D93B28B41899BE9FBBF@01mail.nomadix.com> Message-ID: <3E4421AF.9B64D1DC@airespace.com> I'll take a shot at answering this. Comments inline below... BSingh at Nomadix.com wrote: > > Posting again due to bad format last time. > ------------------------------------------ > > I have a few clarifications regarding usage of IPsec for VPNs. I have been > even going through the thread of Modecfg vs. DHCP and seem a little confused > regarding the functionality. > > - This particular debate of Modecfg vs. DHCP relates only to remote access > scenarios or does it extend to address management for site-to-site VPNs. I > would distinguish the 2 using the following definitions- One tunnel per > machine and address to be given out (whichever way - modecfg or DHCP) at > tunnel setup time would be Remote Access. Site-to-site would be that tunnel > is setup apriori between 2 gateways and both sides would be different > private subnets. Users in site-to-site VPNs get addresses typically from > their own subnet's DHCP servers. Please correct me if I am wrong.. This is probably a reasonable attempt at a definition, but it leaves out remote access scenarios where a personal security gateway is at the remote end. Also, remote access users do not *necessarily* need address assignment, but this is often done to simplify windows networking tasks via the vpn. > - Is it also possible that in a site-to-site VPN the address allocation is > handled by only one of the private networks (subnets). i.e.. DHCP is > tunneled over to this network from all other private networks and responses > tunneled back? Is it a typical setup? Is the discussion of modecfg vs. DHCP > relevant in this case? I assume that their might be some routing issues in > this setup for tunneling the responses back to the DHCP requesters through > the right tunnels. Maybe some state maintenance at the gateways. I've never seen this attempted, but that doesn't mean it won't be done. Obvious issues result if connectivity is lost at renewal time. I have seen it done in telecommuter scenarios where the user has a small network behind a personal sgw, but again, there are issues if connectivity is lost and lease times are small. This can be resolved by having a lightweight dhcp server on the personal sgw which doles out short-lived config when the tunnel is down, and forwards dhcp through the tunnel when it is up. Modecfg doesn't seem to make much sense in such scenarios. > - Typical IPsec implementations. Most of them are bump in the stack > (software ones).. Am I correct? Does it mean that IP routing is the only way > to direct traffic into the right tunnels? i.e. destination address based. > Are their any implementations that do not follow this paradigm. Any pointers > would be helpful. I'll leave this one for someone else to answer... Scott From tbird at precision-guesswork.com Fri Feb 7 18:53:44 2003 From: tbird at precision-guesswork.com (Tina Bird) Date: Fri, 7 Feb 2003 23:53:44 +0000 (GMT) Subject: [VPN] Web Site Maintenance Message-ID: <20030207235245.G49249-100000@sisyphus.iocaine.com> Hi all -- I am doing another weekend's worth of maintenance on the VPN site. As a result of this work, it will occasionally be inaccessible, but typically not for more than 5 or 10 minutes unless there's a complete catastrophe. Thanks for your patience. tbird -- I, on the other hand, do not work. I enjoy the slothful life of an artist, and while away the hours in meaningless aesthetic pursuits punctuated by bouts of hedonistic debauchery and an occasional nap. -- David Rinehart http://www.shmoo.com/~tbird Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com From jon-pop at tertial.org Fri Feb 7 20:15:09 2003 From: jon-pop at tertial.org (Jon Still) Date: Sat, 8 Feb 2003 01:15:09 +0000 Subject: [VPN] IPSEC Resources In-Reply-To: <3E43F104.906DE4F5@opus1.com> Message-ID: On Friday, Feb 7, 2003, at 17:46 Europe/London, Joel M Snyder wrote: > The best book on the subject continues to be "IPsec: The New Security > hoping that they get together and update it for IKEv2 if-and-when it > ever comes out. Ah cool - you're the 2nd person who has recommended that book to me. FYI, there's a new edition out on the 28th of February (in the UK at least) - beware of URL-wrappage... http://www.amazon.co.uk/exec/obidos/ASIN/013046189X/qid=1044626960/ sr=1-7/ref=sr_1_3_7/026-8794468-8138015 Looks like I'll be getting that then :) Thanks for everyone's help. Cheers, Jon. -- Jon Still E-mail: jon at tertial.org tertial.org Web: http://www.tertial.org/ GPG Key: http://xanthein.net/key.asc Key ID: 0x00493D2B From ILazar at burtongroup.com Fri Feb 7 22:11:00 2003 From: ILazar at burtongroup.com (Irwin Lazar) Date: Fri, 7 Feb 2003 20:11:00 -0700 Subject: [VPN] IPSEC Resources Message-ID: <53BBA8839E91D51194D200902728944E01D2ED78@bgslc03.burtongroup.com> I'll pitch two resources: ITPRC.COM's VPN & Encryption Page - www.itprc.com/vpn.htm Dave Kosiur's book on VPN Technologies - Building & Managing Virtual Private Networks - ISBN:0471295264 Disclaimer: I work with Dave and have first-hand knowledge of his in-depth knowledge of VPN services and technologies. Irwin -----Original Message----- From: Joel M Snyder [mailto:Joel.Snyder at Opus1.COM] Sent: Friday, February 07, 2003 12:47 PM To: Jon Still Cc: vpn at lists.shmoo.com Subject: Re: [VPN] IPSEC Resources The best book on the subject continues to be "IPsec: The New Security Standard for ..." Although Harkins and Doraswamy haven't updated it to really discuss all of the difficult remote access issues (like NAT traversal) which folks are solving in quasi-proprietary ways, it is the only lucid and accurate description of the protocols. I am *really* hoping that they get together and update it for IKEv2 if-and-when it ever comes out. Some folks have recommended Tiller's "A technical guide to IPsec VPNs," which is also pretty good. I read it fairly quickly because it came out recently and I wanted to see whether it was good enough to recommend to my students. I think that it is. If you buy either, I also recommend getting the "Big Book of IPsec RFCs." It's got some nice value-add beyond simply printing out the RFCs (which is basically what it is)---there's a cross-RFC index, it's nicely bound, and it's a lot easier to carry around compared to the printouts. If you're like me, you like to annotate & dogear, and on-line versions aren't so good for that... The other good book on VPNs from a technology point of view, although not nearly as accurate or in-depth as the other two, is Yuan & Strayer's "Virtual Private Networks." They have a very different viewpoint, including things like management/SNMP and the like, which is more "the big picture" information. I sometimes recommend that one to folks who don't need to understand the issues of DHG2 versus DHG5 but do need a little technical info to complete their design. As long as I'm blabbing about VPN books... If you want to learn about L2TP, Shea's "L2TP" is the clear classic in the field; everything else discussing L2TP pales in comparison. Similarly, Rescorla's "SSL and TLS" is the landmark on that 'vpn' protocol set. Add to these Schneier's "Applied Cryptography," and you'll have the technical background you need. Without being unkind to other authors of other VPN books, I'd suggest that these titles are the ones to focus on for best use of your time & money. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One Jon Still wrote: > > Folks, > > I'm looking for a good book on IPSEC - really just covering the > protocols from the ground up, the various modes, transforms etc. Is > there any particular tome that you lot can recommend over any other? > > Failing that, are there any good online resources - sadly a lot of the > ones listed on the vpn.shmoo.com website are now dead links :-/ > > Note - I'm not especially looking for product-specific information here > - just information on the protocol suite (preferably including some of > the newer stuff like UDP encapsulation), but without having to trawl > through the 000s of RFCs - yes, I admit it, I'm lazy :) > > Cheers, > Jon. > > -- > Jon Still E-mail: jon at tertial.org > tertial.org Web: http://www.tertial.org/ > GPG Key: http://xanthein.net/key.asc Key ID: 0x00493D2B _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From ILazar at burtongroup.com Fri Feb 7 22:15:37 2003 From: ILazar at burtongroup.com (Irwin Lazar) Date: Fri, 7 Feb 2003 20:15:37 -0700 Subject: [VPN] SSL "VPNs" Message-ID: <53BBA8839E91D51194D200902728944E01D2ED79@bgslc03.burtongroup.com> >The only applications that any of the SSL VPN vendors claim to be able >to secure without any code being loaded on a remote client are >>Web-based applications<<. Uh, hey, wait a minute -- I can turn on SSL >on my Web-based application servers and do that myself. --- The appliances offer you the advantage of off-loading the encryption process from your web servers. They may also provide front-end proxy servers to provide you with an additional layer of security. In aventail's case, they'll manage the whole thing for you as a server (though they do offer stand-alone appliances as well). you are right that there is no client security - I've spoken with a few vendors who are looking to implement a check that doesn't allow access to the SSL-VPN proxy unless the end-device meets a certain policy such as up-to-date anti-virus and firewall software. I think you'll see more of that this year. From ricardo_bergerac at yahoo.co.uk Sat Feb 8 06:47:13 2003 From: ricardo_bergerac at yahoo.co.uk (=?iso-8859-1?q?Rich=20Budgen?=) Date: Sat, 8 Feb 2003 11:47:13 +0000 (GMT) Subject: [VPN] Help Required! In-Reply-To: Message-ID: <20030208114713.61926.qmail@web41415.mail.yahoo.com> Hello all, I am a final year student working on my dissertation in need of some advice/help. # My project involves comparing three different VPN solutions for a small company with three offices throughout England. They are hoping to keep costs down and fool proof security of data is not considered essential. The first implementation I am looking at is Linux FreeS/WAN. I will be able to test this in a lab at uni. Could anyone suggest any simple VPN implementions that I could compare it against, perhaps even another freeware solution. It is not essential that I have to actually test them as long as I can find good documentation and reviews. Therefor, basic hardware implementations are suitable. Any useful links or whitepapers would be great. I know you are all busy so thanks for reading my mail. Richard --------------------------------- With Yahoo! Mail you can get a bigger mailbox -- choose a size that fits your needs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030208/36e1d45a/attachment.htm From shannong at texas.net Sat Feb 8 13:43:34 2003 From: shannong at texas.net (shannong) Date: Sat, 8 Feb 2003 12:43:34 -0600 Subject: [VPN] SSL "VPNs" In-Reply-To: <3E43D751.8040309@moquijo.com> Message-ID: <008701c2cfa1$fc4611d0$0101a8c0@asteroid> I definitely don't like the idea of unsecured clients using a socks proxy client to gain entrance to an internal network. Most vendors use a java applet to provide the socks proxy for remote access. This means an absent minded user could leave an open hole to the network at any public station. Spooky! If we drop the name "SSL based VPN", I do like the use of such solutions for providing remote access to web applications ONLY. Deploying browser based access to web applications to the Internet is CRAZY! The worst example that comes to mind is OWA 2000. The OWA server must run an Exchange serve and basically have full access to all your DCs. Exposing OWA to the Internet is one of the worst things an organization can do. However, proxying the session at the edge of the network with a mediating device that first checks credentials before allowing access to the web server behind mitigates a lot of the problems. Sure, you can still hack at the proxy device, but these appliances are usually much more secure than a Windows OS running a multitude of services to be exploited. Much like a firewall or router, the limited code base and services provided make them difficult to hack. The most secure design I've seen is from Whale Communications. They actually have two devices. One is "outside" and one is "inside". The two devices are separated by an analog switching device that can only connect to one side at a time. Because its analog, it can't be manipulated by taking over the external server. The "outside" server accepts URL requests and passively sends them inside where the URL is inspected. If the credentials are validated and the URL passes the inspection list, then it is passed on to the target web server inside. This means even if you hack the outside server, the only thing you can do is pass URL requests to the inside server. Because the URLs must pass a known list of valid URL formats on the inside, the ability to do harm or damage is severely limited. The inside server is where the SSL certificate is stored and management takes place. My only complaint for their design is that both servers are Win2k. The outside server does NOT run IIS, but I would still prefer something that doesn't require daily patching and excessive services. -Shannon -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of Paul Cardon Sent: Friday, February 07, 2003 9:57 AM To: Keith Cc: vpn at lists.shmoo.com Subject: Re: [VPN] SSL "VPNs" Keith wrote: > There are 3rd party remote access security policy management solutions > that enforce desktop security policy on the remote desktop before > allowing connections and possibly can be adapted to work with > SSL-VPNs.(a 3rd party remote access policy enforcement agent check > before establishing the SSL-based VPN connection, etc). That's great except that now you are back to having to install an agent/client on the remote desktop which is exactly what most people deploying SSL VPNs are trying to avoid. That is the problem. There are fundamental security controls that can't be implemented at the remote desktop without an agent/client. In my opinion that makes SSL VPNs unsuitable for any but very narrow applications with very restricted access to internal network resources. > Webmail is, currently, probably the most popular application for a > "SSL-based" VPN. What's to prevent some one from subverting a > telecommuters webmail session today to, somehow, get into the internal > network today? Remote desktop security management tools/techniques. > i.e. personal firewall/IDS, desktop a/v, etc.. I'm not sure that web mail with or without an SSL VPN is appropriate for some companies. How would you feel about an executive on the planning committee of a top 5 financial institution reading e-mail about a yet to be announced merger/acquisition at an airport web kiosk? The SSL VPN only protects that data in transit. There is nothing to protect it on the web kiosk itself. If that environment is compromised or the operator is hostile, that data is as good as disclosed. -paul _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From losttoy2000 at yahoo.co.uk Mon Feb 10 00:07:07 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Mon, 10 Feb 2003 05:07:07 +0000 (GMT) Subject: [VPN] IPSEC Resources In-Reply-To: Message-ID: <20030210050707.50724.qmail@web12701.mail.yahoo.com> Hi Jon, Goto google and type "IPSec tutorial". You will get lots of presentations and articles on IPSec. However, the best resource IS the RFCs. They cover a lot of important details of the IPSec architecture which most books/tutorials might miss. I know its a little boring to read through them but then its better than reading a whole book. ;-) Regards, Siddhartha --- Jon Still wrote: > Folks, > > I'm looking for a good book on IPSEC - really just > covering the > protocols from the ground up, the various modes, > transforms etc. Is > there any particular tome that you lot can recommend > over any other? > > Failing that, are there any good online resources - > sadly a lot of the > ones listed on the vpn.shmoo.com website are now > dead links :-/ > > Note - I'm not especially looking for > product-specific information here > - just information on the protocol suite (preferably > including some of > the newer stuff like UDP encapsulation), but without > having to trawl > through the 000s of RFCs - yes, I admit it, I'm lazy > :) > > Cheers, > Jon. > > -- > Jon Still E-mail: > jon at tertial.org > tertial.org Web: > http://www.tertial.org/ > GPG Key: http://xanthein.net/key.asc Key ID: > 0x00493D2B > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com From losttoy2000 at yahoo.co.uk Mon Feb 10 00:51:09 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Mon, 10 Feb 2003 05:51:09 +0000 (GMT) Subject: [VPN] SSL "VPNs" In-Reply-To: <008701c2cfa1$fc4611d0$0101a8c0@asteroid> Message-ID: <20030210055109.72386.qmail@web12706.mail.yahoo.com> VPN SSL is more of a marketing gimmick. SSL has been used for a long time for secure access to web sites and its a good thing if you only want to give users access to the web site. I was surprised to see that most vendors use the SSL Proxy appliance to only proxy HTTPS and don't have the flexibility to wrap any protocol like SSLWrapper (see freshmeat.net). If they do that (which IMHO is a very simple task) then the offering of a SSL Proxy Appliance is much better. In terms of authentication, Rainbow Technologies has a good product. It integrates with their USB Token. So if you plug out the token, the SSL session times out instantly. --- shannong wrote: > > I definitely don't like the idea of unsecured > clients using a socks > proxy client to gain entrance to an internal > network. Most vendors use a > java applet to provide the socks proxy for remote > access. This means an > absent minded user could leave an open hole to the > network at any public > station. Spooky! > > If we drop the name "SSL based VPN", I do like the > use of such solutions > for providing remote access to web applications > ONLY. Deploying browser > based access to web applications to the Internet is > CRAZY! The worst > example that comes to mind is OWA 2000. The OWA > server must run an > Exchange serve and basically have full access to all > your DCs. Exposing > OWA to the Internet is one of the worst things an > organization can do. > However, proxying the session at the edge of the > network with a > mediating device that first checks credentials > before allowing access to > the web server behind mitigates a lot of the > problems. Sure, you can > still hack at the proxy device, but these appliances > are usually much > more secure than a Windows OS running a multitude of > services to be > exploited. Much like a firewall or router, the > limited code base and > services provided make them difficult to hack. > > The most secure design I've seen is from Whale > Communications. They > actually have two devices. One is "outside" and one > is "inside". The > two devices are separated by an analog switching > device that can only > connect to one side at a time. Because its analog, > it can't be > manipulated by taking over the external server. The > "outside" server > accepts URL requests and passively sends them inside > where the URL is > inspected. If the credentials are validated and the > URL passes the > inspection list, then it is passed on to the target > web server inside. > This means even if you hack the outside server, the > only thing you can > do is pass URL requests to the inside server. > Because the URLs must > pass a known list of valid URL formats on the > inside, the ability to do > harm or damage is severely limited. The inside > server is where the SSL > certificate is stored and management takes place. > My only complaint for > their design is that both servers are Win2k. The > outside server does NOT > run IIS, but I would still prefer something that > doesn't require daily > patching and excessive services. > > -Shannon > > > > -----Original Message----- > From: vpn-admin at lists.shmoo.com > [mailto:vpn-admin at lists.shmoo.com] On > Behalf Of Paul Cardon > Sent: Friday, February 07, 2003 9:57 AM > To: Keith > Cc: vpn at lists.shmoo.com > Subject: Re: [VPN] SSL "VPNs" > > > Keith wrote: > > There are 3rd party remote access security policy > management > solutions > > that enforce desktop security policy on the remote > desktop before > > allowing connections and possibly can be adapted > to work with > > SSL-VPNs.(a 3rd party remote access policy > enforcement agent check > > before establishing the SSL-based VPN connection, > etc). > > That's great except that now you are back to having > to install an > agent/client on the remote desktop which is exactly > what most people > deploying SSL VPNs are trying to avoid. That is the > problem. There are > > fundamental security controls that can't be > implemented at the remote > desktop without an agent/client. In my opinion that > makes SSL VPNs > unsuitable for any but very narrow applications with > very restricted > access to internal network resources. > > > Webmail is, currently, probably the most popular > application for a > > "SSL-based" VPN. What's to prevent some one from > subverting a > > telecommuters webmail session today to, somehow, get > into the internal > > network today? Remote desktop security management > tools/techniques. > > i.e. personal firewall/IDS, desktop a/v, etc.. > > I'm not sure that web mail with or without an SSL > VPN is appropriate for > > some companies. How would you feel about an > executive on the planning > committee of a top 5 financial institution reading > e-mail about a yet to > > be announced merger/acquisition at an airport web > kiosk? The SSL VPN > only protects that data in transit. There is > nothing to protect it on > the web kiosk itself. If that environment is > compromised or the > operator is hostile, that data is as good as > disclosed. > > -paul > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com From losttoy2000 at yahoo.co.uk Mon Feb 10 02:27:04 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Mon, 10 Feb 2003 07:27:04 +0000 (GMT) Subject: [VPN] Quickest way to create a secure conduit between two Win32 machines? In-Reply-To: <000701c2cdfe$8550af80$b600000a@alderon> Message-ID: <20030210072704.92962.qmail@web12705.mail.yahoo.com> Win2k and Win XP can do IPSec. Simplest and most secure. --- "Mark G. Spencer" wrote: > I am looking for a way to quickly and easily encrypt > all communications > between two machines with the encrypted connection > being required. > > I have looked briefly at Zebedee, F-Secure's SSH > server, and MS Technet > stuff on PPTP. The configuration on these > applications seems to be very > complex considering the relatively narrow scope of > my task. > > Any ideas on the best way to encrypt all > communications between two Windows > 2000 or XP machines? I simply want to wrap VNC or > Windows XP's Remote > Desktop with Blowfish or pretty much any other > robust encryption. If there > is a better solution out there than what I have > looked at I would definitely > appreciate knowing about it! > > On a side note .. Apparently Remote Desktop uses the > same encryption as > Terminal Services and Citrix? How secure in > practice is this? > > Thanks, > > Mark > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com From luca.fornasari at easybit.it Thu Feb 13 11:57:34 2003 From: luca.fornasari at easybit.it (Luca Fornasari) Date: Thu, 13 Feb 2003 17:57:34 +0100 Subject: [VPN] FreeS/Wan & 3Com Internet Firewall VPN Message-ID: <3E4BCE7E.6040605@easybit.it> Hello list, does anyone of you already configured a vpn (Tunnel Mode) using a FreeS/Wan and a 3Com Internet Firewall VPN? As told by 3Com "it is possible to establish a VPN with FreeS/Wan" but the problem is that I cant find information and configuration parameters to set Main/Agressive Mode and PFS on the 3Com. Any suggestion is appreciated. Have nice time Luca Fornasari From tbird at precision-guesswork.com Thu Feb 13 17:34:21 2003 From: tbird at precision-guesswork.com (Tina Bird) Date: Thu, 13 Feb 2003 22:34:21 +0000 (GMT) Subject: [VPN] Speaking of Pseudo-VPNs Message-ID: <20030213223230.N549-100000@sisyphus.iocaine.com> I've been asked a couple of questions recently about the Citrix Secure ICA protocol. Man, there's not much on line about it. Does anyone have information on encryption algorithms or authentication (in particular, does it support client-side and server-side authentication)? thanks -- tbird -- I, on the other hand, do not work. I enjoy the slothful life of an artist, and while away the hours in meaningless aesthetic pursuits punctuated by bouts of hedonistic debauchery and an occasional nap. -- David Rinehart http://www.shmoo.com/~tbird Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com From yararat at go-documenta.com Thu Feb 13 17:48:29 2003 From: yararat at go-documenta.com (Yuval Ararat) Date: Fri, 14 Feb 2003 00:48:29 +0200 Subject: [VPN] A domain controller and Netscreen vpn configuration Message-ID: <000501c2d3b2$0d10f610$2201a8c0@documentausa.com> Does any one on the list have any information about connecting Netscreen XP5 device with a windows 2000 active directory for authentication and logon of the road warriors. How do I configure it with the Netscreen client and how do I configure it not to disturb the login process of the client that has no network connection to the VPN? Regards, Yuval Ararat Documenta LLC www.documentausa.com From john.spanos at adacel.com Thu Feb 13 18:17:38 2003 From: john.spanos at adacel.com (John Spanos) Date: Fri, 14 Feb 2003 10:17:38 +1100 Subject: [VPN] Re: Problems configuring PIX In-Reply-To: <20030203062644.67736.qmail@web12706.mail.yahoo.com> Message-ID: Hi All, I have had a site-to-site tunnel to a remote office on our PIX firewall now for a few months now. It works fine but now that Iam trying to configure a Remote Access Client VPN on the same device I am having issues with the site-to-site tunnel going down and not being able to come back. I have issued the appropriate no-xath and no-mode-config for the site-to-site peer. Is there anything else I should be looking out for? Does anyone have an example config? Any help is much appreciated. John Spanos. From cgripp at automotive.com Thu Feb 13 18:29:12 2003 From: cgripp at automotive.com (Chris Gripp) Date: Thu, 13 Feb 2003 15:29:12 -0800 Subject: [VPN] Speaking of Pseudo-VPNs Message-ID: I know the encryption algo is RC5. Here's a link to the Admin's Guide. It's not exactly super tech material but it might be a good start. http://knowledgebase.citrix.com/cgi-bin/webcgi.exe/,/?Session=6473712,U=1,ST=149,N=0004,K=22671,SXI=18,Case=obj(2348) -Chris -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Thursday, February 13, 2003 2:34 PM To: vpn at lists.shmoo.com Subject: [VPN] Speaking of Pseudo-VPNs I've been asked a couple of questions recently about the Citrix Secure ICA protocol. Man, there's not much on line about it. Does anyone have information on encryption algorithms or authentication (in particular, does it support client-side and server-side authentication)? thanks -- tbird -- I, on the other hand, do not work. I enjoy the slothful life of an artist, and while away the hours in meaningless aesthetic pursuits punctuated by bouts of hedonistic debauchery and an occasional nap. -- David Rinehart http://www.shmoo.com/~tbird Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030213/8d146a81/attachment.htm From TKoopman at SonicWALL.com Thu Feb 13 19:07:38 2003 From: TKoopman at SonicWALL.com (TKoopman at SonicWALL.com) Date: Thu, 13 Feb 2003 16:07:38 -0800 Subject: [VPN] A domain controller and Netscreen vpn configuration Message-ID: Yuval, I'll pitch in with some answers because this is not specifically a Netscreen question and more generally falls into Windows AD authentication through a VPN client. Netscreen, and many others, use the Safenet client. This client has an XAUTH agent built right into it. The Netscreen can link a VPN client tunnel to a Radius Server. Consult the Netscreen documentation or just click around until you find it. So, the easiest way to accomplish your secondary authentication is to redirect to a Radius server. The Radius server in turn is linked to your AD server. The remote user will be presented with an additional username/password prompt and will enter their regular domain user name and password. To make this all run smoother, the remote laptop or computer should be a member of the Domain. The user will initially login with cached credentials, then establish the tunnel, be prompted for the Radius password, and then be on the network. One note of caution. You may run into Kerberos authentication issues if you are attempting to access network resources through this VPN client tunnel. By default, the Kerberos packets are UDP packets until they exceed 2000 bytes. This results in fragmented UDP packets which will not traverse the VPN client tunnel. Search on Microsoft's technet for "Kerberos and VPN" and you will find several articles related to this. The one you want tells you how to modify the registry to force Kerberos into a TCP packet and then it will traverse the tunnel without any problems. I would not anticipate any severe difficulties in making all this work. This is exactly what we do at SonicWALL (another firewall/vpn manufacturer) and with many of our customers. Best Regards TODD KOOPMAN Systems Engineer SonicWALL tkoopman at sonicwall.com -----Original Message----- From: Yuval Ararat [mailto:yararat at go-documenta.com] Sent: Thursday, February 13, 2003 2:48 PM To: vpn at lists.shmoo.com Subject: [VPN] A domain controller and Netscreen vpn configuration Does any one on the list have any information about connecting Netscreen XP5 device with a windows 2000 active directory for authentication and logon of the road warriors. How do I configure it with the Netscreen client and how do I configure it not to disturb the login process of the client that has no network connection to the VPN? Regards, Yuval Ararat Documenta LLC www.documentausa.com _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From rginski at co.pinellas.fl.us Fri Feb 14 11:07:11 2003 From: rginski at co.pinellas.fl.us (Richard Ginski) Date: Fri, 14 Feb 2003 11:07:11 -0500 Subject: [VPN] Speaking of Pseudo-VPNs Message-ID: This may shed some light. I found this: http://www.centior.nl/images/CSG%20Centior.ppt >>> Tina Bird 02/13/03 05:34PM >>> I've been asked a couple of questions recently about the Citrix Secure ICA protocol. Man, there's not much on line about it. Does anyone have information on encryption algorithms or authentication (in particular, does it support client-side and server-side authentication)? thanks -- tbird -- I, on the other hand, do not work. I enjoy the slothful life of an artist, and while away the hours in meaningless aesthetic pursuits punctuated by bouts of hedonistic debauchery and an occasional nap. -- David Rinehart http://www.shmoo.com/~tbird Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From TKoopman at SonicWALL.com Thu Feb 13 19:16:47 2003 From: TKoopman at SonicWALL.com (TKoopman at SonicWALL.com) Date: Thu, 13 Feb 2003 16:16:47 -0800 Subject: [VPN] FreeS/Wan & 3Com Internet Firewall VPN Message-ID: Luca, If you are using a 3COM Office Connect firewall, then it is an OEM of the SonicWALL firewall. Depending on the age of the appliance and the firmware version level you have on the 3COM you will have greater or lesser flexibility for the options you mention. The 3COM device will initially default to Aggressive Mode if it has a dynamically assigned WAN IP address. It defaults to Main Mode if it has a statically assigned WAN IP. This is hard coded into the firmware you are probably running. The latest release of SonicWALL firmware, version 6.4.0.1, allows you to select this as a configurable option. PFS is a user selectable option on the SonicWALLs/3COM devices. Again it depends on the age and firmware version. If you see and Advanced Settings button at the bottom of the VPN>Configure page, then the PFS option is in there. If you do not see that button, then it is turned off and is not user configurable. This is user configurable in newer code releases. If you can email your firmware version directly to me, I may be able to give you some more guidance. And you can check the online FAQs in both our support system and in the documentation links at www.sonicwall.com Best Regards TODD KOOPMAN Systems Engineer SonicWALL tkoopman at sonicwall.com -----Original Message----- From: Luca Fornasari [mailto:luca.fornasari at easybit.it] Sent: Thursday, February 13, 2003 8:58 AM To: vpn at lists.shmoo.com Subject: [VPN] FreeS/Wan & 3Com Internet Firewall VPN Hello list, does anyone of you already configured a vpn (Tunnel Mode) using a FreeS/Wan and a 3Com Internet Firewall VPN? As told by 3Com "it is possible to establish a VPN with FreeS/Wan" but the problem is that I cant find information and configuration parameters to set Main/Agressive Mode and PFS on the 3Com. Any suggestion is appreciated. Have nice time Luca Fornasari _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From shehzad at khi.wol.net.pk Fri Feb 14 01:56:03 2003 From: shehzad at khi.wol.net.pk (shehzad abbas) Date: Fri, 14 Feb 2003 11:56:03 +0500 Subject: [VPN] VPN solution In-Reply-To: References: Message-ID: <200302141156030856.2DDAE258@smtp.khi.wol.net.pk> hi, im looking for a cheap vpn solution to connect three corporate LANs...hardware or software, any suggestions? thanx, Shehzad From mballou at VIISAGE.COM Fri Feb 14 10:33:33 2003 From: mballou at VIISAGE.COM (Matt Ballou) Date: Fri, 14 Feb 2003 10:33:33 -0500 Subject: [VPN] Intel LanRover Question Message-ID: <9DD2BCB69A87F34EA58667058C7A2F738C097B@fortress.viisage.net> Hello All, I have a question about passing VPN Clients through an Intel LanRover Gateway plus Firewall. The firewall is setup as a NAT and is running version 6.70 firmware. We have a client that connects to their customers via vpn clients (cisco, nortel, microsoft). Until about a year ago, they were not using a NAT firewall and were using Pubic IP's. We were able to get the PPTP to pass through the firewall using One to One NAT. However, the L2TP/IPSEC does not seem to pass through even with UDP 500 outbound open (trying UDP Encapsulation). Perhaps I am missing something in the setup...an ACL? Sincerely, Matt From yroques at fininfo.fr Fri Feb 14 11:54:45 2003 From: yroques at fininfo.fr (ROQUES Yann) Date: Fri, 14 Feb 2003 17:54:45 +0100 Subject: [VPN] Cisco VPN 3000, FreeS/Wan and NAT-T Message-ID: Hi all, Has anyone of you already configured a Lan-to-Lan connexion using a FreeS/Wan (1.99) and a Cisco VPN 3000 (3.6.3)? It is supposed to work fine, but an example config would be appreciated! Another question : would this config support translation? I know the Cisco box can handle it, but i am not sure FreeS/Wan can. It seems there's a patch but freeswan advises to handle it with care. Any experience? Thanks for your help, Yann Roques. ************** Network Diagram --------------- Network | Cisco CVPN3015 | | {loadbalancer performing one to one NAT) | | {internet} | | FreeS/WAN GW | Network 2 From MLittle at bhsi.com Fri Feb 14 12:28:35 2003 From: MLittle at bhsi.com (Little, Mike (BHS)) Date: Fri, 14 Feb 2003 12:28:35 -0500 Subject: [VPN] Site-to-site with session control? Message-ID: <03Feb14.122328est.119445@pcbhi266.bhsi.com> All, I currently have 5 vendors who support our organization who want to set up site-to-site VPN connections. They have a variety of vpn hardware but my concern is not being able to establish the connection, it's being able to exercise some control over how that connection is used. That is, we'd like to put in place some way to have session control over the link so that we know what particular user is coming in and when, etc. We currently have Nortel CES2000s in place but have just received the CES2700s which I'm preparing to upgrade to. We also purchased the firewall license, which I hope will help, but I don't think it will force any type of additional authentication on the individual user level. Does anyone have any ideas on how to implement a branch-to-branch (site-to-site) connection but still force those who want to use it to have to provide additional authentication? We have a radius server in place and an AD network. I'll be moving forward with this soon and if I can discover a way to get this accomplished, I'll follow up with a message myself. Thanks for the help, Mike Little Network Services Baptist Healthcare System From mail at meiremania.com Fri Feb 14 12:29:24 2003 From: mail at meiremania.com (meiremania.com) Date: Fri, 14 Feb 2003 18:29:24 +0100 Subject: [VPN] VPN solution References: <200302141156030856.2DDAE258@smtp.khi.wol.net.pk> Message-ID: <00d401c2d44e$9e8d1960$0301a8c0@saddam> Hi, If you have some *NIX experience than it might be interesting to look at Linux(freeswan) or *BSD (my favorite), just running on a normal PC with enough capacity. greetz Johan ----- Original Message ----- From: "shehzad abbas" To: Sent: Friday, February 14, 2003 7:56 AM Subject: [VPN] VPN solution > > hi, > im looking for a cheap vpn solution to connect three corporate LANs...hardware or software, any suggestions? > > thanx, > Shehzad > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From Juri.Reitsakas at Vorguvara.ee Mon Feb 17 15:23:21 2003 From: Juri.Reitsakas at Vorguvara.ee (Juri.Reitsakas at Vorguvara.ee) Date: Mon, 17 Feb 2003 22:23:21 +0200 Subject: [VPN] Netscreen SCEP and iPlanet CA Message-ID: Hi, Does anybody was able to succesfully configure Netscreen to use CEP with iPlanet CA? If yes, please share the information how to do it. >From my point of view the problem is that iPlanet CA doesn't add the FQDN as SubjectAlternativeName to certificate, but Netscreen is required this to establish tunnel. Best Regards Juri -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030217/68ccdb34/attachment.htm From osmond at holburn.com Fri Feb 14 12:33:16 2003 From: osmond at holburn.com (Chad Osmond) Date: Fri, 14 Feb 2003 12:33:16 -0500 Subject: [VPN] VPN solution Message-ID: 3x Netscreen 5XP's $700-1400 CAD each (Depending on model), do it once and do it right and you'll never have to look back. -----Original Message----- From: shehzad abbas [mailto:shehzad at khi.wol.net.pk] Sent: February 14, 2003 1:56 AM To: vpn at lists.shmoo.com Subject: [VPN] VPN solution hi, im looking for a cheap vpn solution to connect three corporate LANs...hardware or software, any suggestions? thanx, Shehzad _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From bet at rahul.net Fri Feb 14 12:52:12 2003 From: bet at rahul.net (Bennett Todd) Date: Fri, 14 Feb 2003 12:52:12 -0500 Subject: [VPN] VPN solution In-Reply-To: <200302141156030856.2DDAE258@smtp.khi.wol.net.pk> References: <200302141156030856.2DDAE258@smtp.khi.wol.net.pk> Message-ID: <20030214175212.GF8412@rahul.net> 2003-02-14T01:56:03 shehzad abbas: > im looking for a cheap vpn solution to connect three corporate > LANs...hardware or software, any suggestions? If you happen to have in-house expertise with any of the free Unix-like OSes --- Linux, FreeBSD, NetBSD, OpenBSD --- then you can use any of them to set up an inter-office VPN, using cheap hardware. I'm a Linux type myself, I've done this successfully with FreeS/WAN, and if I were doing it again today it'd be far simpler, I'd use CIPE. -Bennett -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20030214/21f8327a/attachment.pgp From paul at moquijo.com Fri Feb 14 14:53:38 2003 From: paul at moquijo.com (Paul Cardon) Date: Fri, 14 Feb 2003 14:53:38 -0500 Subject: [VPN] Speaking of Pseudo-VPNs References: <20030213223230.N549-100000@sisyphus.iocaine.com> Message-ID: <3E4D4942.6060506@moquijo.com> Tina Bird wrote: > I've been asked a couple of questions recently about the Citrix Secure ICA > protocol. Man, there's not much on line about it. Does anyone have > information on encryption algorithms or authentication (in particular, > does it support client-side and server-side authentication)? RC5 symmetric cipher Block size: 64-bit Rounds: 12 Key length: 40, 64, or 128 bit Diffie-Helman key exchange Key length: 1024 bit -paul From james at heague.com.au Sun Feb 16 23:12:30 2003 From: james at heague.com.au (James McNeill) Date: Mon, 17 Feb 2003 15:12:30 +1100 Subject: [VPN] Cisco VPN 3000, FreeS/Wan and NAT-T References: Message-ID: <04a701c2d63a$caa2a860$0f00a8c0@james> Frees/wan's NAT traversal patch is failry good. It's not mature enough yet to make the release code, but will eventually. It's not a very complicated thing. Have a look for super frees/wan. (http://www.freeswan.ca/) It's basically frees/wan with a few patches pre-installed. might be what your after. HTH -JAmes | Hi all, | | Has anyone of you already configured a Lan-to-Lan connexion using a | FreeS/Wan (1.99) and a Cisco VPN 3000 (3.6.3)? It is supposed to work fine, | but an example config would be appreciated! | Another question : would this config support translation? I know the Cisco | box can handle it, but i am not sure FreeS/Wan can. It seems there's a patch | but freeswan advises to handle it with care. Any experience? | | | Thanks for your help, | | Yann Roques. | | | ************** | Network Diagram | --------------- | | Network | | | Cisco CVPN3015 | | | | | {loadbalancer performing | one to one NAT) | | | | | {internet} | | | | | FreeS/WAN GW | | | Network 2 | | _______________________________________________ | VPN mailing list | VPN at lists.shmoo.com | http://lists.shmoo.com/mailman/listinfo/vpn | | From vpn at cvilux.com Tue Feb 18 11:37:13 2003 From: vpn at cvilux.com (Cindy DeBoskey) Date: Tue, 18 Feb 2003 08:37:13 -0800 Subject: [VPN] Nortel VPN Expert? Message-ID: <007401c2d76c$081970c0$6601a8c0@client.us.trendnet.org> hi, sorry for the mass broadcasting on this job posting. our company is looking for a contractor who knows nortel vpn down to development code level (mainly the proprietary stuff like authentication..). if you are looking for a position, please forward your resume and hourly rate to me. the company is based in san jose, ca. work from remote site is negotiable. regards, cindy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030218/b1474533/attachment.htm From roger.qian at sholodge.com Tue Feb 18 12:12:59 2003 From: roger.qian at sholodge.com (Roger Qian) Date: Tue, 18 Feb 2003 11:12:59 -0600 Subject: [VPN] VPN solution Message-ID: Can Linux type VPN accept W98 and W2K client? Thanks, Roger -----Original Message----- From: Bennett Todd [mailto:bet at rahul.net] Sent: Friday, February 14, 2003 11:52 AM To: shehzad abbas Cc: vpn at lists.shmoo.com Subject: Re: [VPN] VPN solution 2003-02-14T01:56:03 shehzad abbas: > im looking for a cheap vpn solution to connect three corporate > LANs...hardware or software, any suggestions? If you happen to have in-house expertise with any of the free Unix-like OSes --- Linux, FreeBSD, NetBSD, OpenBSD --- then you can use any of them to set up an inter-office VPN, using cheap hardware. I'm a Linux type myself, I've done this successfully with FreeS/WAN, and if I were doing it again today it'd be far simpler, I'd use CIPE. -Bennett From bet at rahul.net Tue Feb 18 12:18:53 2003 From: bet at rahul.net (Bennett Todd) Date: Tue, 18 Feb 2003 12:18:53 -0500 Subject: [VPN] Windows to Linux VPN (was Re: VPN solution) Message-ID: <20030218171853.GB984@rahul.net> 2003-02-18T12:12:59 Roger Qian: > Can Linux type VPN accept W98 and W2K client? There are various ways this can be done, using various VPN strategies. Which is best depends on your exact needs. I expect there's an IPSec client for windows, it should be able to connect to FreeS/WAN. CIPE has a Windows version available. I imagine something could be lashed up using ppp-over-ssh, or socks-over-ssl, or other such hacks. -Bennett -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20030218/c5542400/attachment.pgp From roger.qian at sholodge.com Tue Feb 18 12:31:43 2003 From: roger.qian at sholodge.com (Roger Qian) Date: Tue, 18 Feb 2003 11:31:43 -0600 Subject: [VPN] RE: Windows to Linux VPN (was Re: VPN solution) Message-ID: Thanks for the information. We're using a Windows RRAS PPTP for remote users (about 12 users) only. A couple weeks ago, I configured PIX VPN. It worked fine, but the login authentication is in PIX not with Windows 2000. When users logged in and they cannot access Windows based file servers, because W2K file servers check Windows authentication not PIX's. How Linux do the authentication? with Windows? Roger -----Original Message----- From: Bennett Todd [mailto:bet at rahul.net] Sent: Tuesday, February 18, 2003 11:19 AM To: Roger Qian Cc: vpn at lists.shmoo.com Subject: Windows to Linux VPN (was Re: VPN solution) 2003-02-18T12:12:59 Roger Qian: > Can Linux type VPN accept W98 and W2K client? There are various ways this can be done, using various VPN strategies. Which is best depends on your exact needs. I expect there's an IPSec client for windows, it should be able to connect to FreeS/WAN. CIPE has a Windows version available. I imagine something could be lashed up using ppp-over-ssh, or socks-over-ssl, or other such hacks. -Bennett From dklein at netscreen.com Tue Feb 18 19:20:20 2003 From: dklein at netscreen.com (David Klein) Date: Tue, 18 Feb 2003 16:20:20 -0800 Subject: [VPN] Netscreen SCEP and iPlanet CA Message-ID: <541402FFDC56DA499E7E13329ABFEA87C6C143@SARATOGA.netscreen.com> Juri, I haven't had a chance to try the iPlanet SCEP interface. It should work. Regarding this ... > From my point of view the problem is that iPlanet CA doesn't add the FQDN as SubjectAlternativeName to certificate, but Netscreen is required this to establish tunnel. The Netscreen will support DN if your cert doesn't have a SubjectAltName field. You should try to find the right knobs on the iPlanet CA to make the CA generate this field. However, if worse comes to worse and you can't get it to work then use DN's on the Netscreen. To do this use the keyword [DistinguishedName] as the local IKE id in the "set ike gateway ..." definition. For the remote IKE id, you can use the asn1-dn keyword in the "set ike gateway ..." definition. Here's some more detail on Netscreens: There are 4 IKE_id types that we support for phase 1 identification of a peer gateway or VPN client: 1) IP address (e.g., 64.81.225.173) 2) FQDN (e.g., netscreen.dklein.com) 3) User-FQDN or email address (e.g., dklein at netscreen.com) 4) DN or Distinguished Name (e.g., CN=klein,OU=SE,O=Netscreen,C=US,...) When doing pre-shared keys, we can only do 1, 2, or 3. When doing X.509 certs, then we can do all of them. If doing X.509 certs and doing identification based on 1, 2, or 3 then you have to have a V3 extension in the certificate called "Subject Alternative Name" field. This can contain one or more of the first three IKE types and values. These values get set by doing the following: To have the cert request include domain name of name.domain.com: set host name set domain domain.com For IP address and email address: set pki x509 dn email "ns204 at dklein.com" set pki x509 dn ip "10.9.8.204" If doing X.509 certs and you don't have the "Subject Alternative Name" field (commonly done when some CA issues you something like an SSL server cert for the Netscreen) then you have to do DN IKE identification. To do this on a Netscreen, use the keyword [DistinguishedName] (with the square brackets) to tell the NetScreen to use the DN from its own certficiate to identify itself to the peer. To tell the NetScreen to expect a DN from the peer, use the asn1-dn id type: set ike gateway name dynamic asn1-dn { container | wildcard } string ... set ike gateway name ip 3.3.3.3 id asn1-dn { container | wildcard } string ... Example with static IP on peer: set ike gateway peer-gw ip 5.5.5.5 id asn1-dn wildcard cn=gw-test,o=netscreen,c=us" main local-id[DistinguishedName] outgoing-interface ethernet1 proposal rsa-g2-3des-sha or with dynamic IP on peer: set ike gateway peer-gw dynamic asn1-dn wildcard cn=gw-test,o=netscreen,c=us" aggr local-id [DistinguishedName] outgoing-interface ethernet1 proposal rsa-g2-3des-sha And select your local cert and CA cert: set ike gateway peer-gw cert my-cert set ike gateway peer-gw cert peer-cert-type x509-sig set ike gateway peer-gw cert peer-ca Make sure your clocks are accurate. Also make sure your CRL is loaded or you have access to a valid CRL-DP. Dave Klein Netscreen SE -----Original Message----- From: Juri.Reitsakas at Vorguvara.ee [mailto:Juri.Reitsakas at Vorguvara.ee] Sent: Monday, February 17, 2003 2:23 PM To: vpn at lists.shmoo.com Subject: [VPN] Netscreen SCEP and iPlanet CA Hi, Does anybody was able to succesfully configure Netscreen to use CEP with iPlanet CA? If yes, please share the information how to do it. >From my point of view the problem is that iPlanet CA doesn't add the FQDN as SubjectAlternativeName to certificate, but Netscreen is required this to establish tunnel. Best Regards Juri -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030218/6c5b06dd/attachment.htm From Juri.Reitsakas at Vorguvara.ee Wed Feb 19 06:43:55 2003 From: Juri.Reitsakas at Vorguvara.ee (Juri.Reitsakas at Vorguvara.ee) Date: Wed, 19 Feb 2003 13:43:55 +0200 Subject: [VPN] Netscreen SCEP and iPlanet CA In-Reply-To: <541402FFDC56DA499E7E13329ABFEA87C6C143@SARATOGA.netscreen.com> Message-ID: Hi David, Thank you very much for information. I was able to configure boxes without SubAltName just using the dn as you describe. > set ike gateway peer-gw ip 5.5.5.5 id asn1-dn wildcard cn=gw-test,o=netscreen,c=us" main local-id[DistinguishedName] outgoing-interface ethernet1 proposal rsa-g2-3des-sha Thank you. PS! May i ask the few questions Does GlobalManager Pro 4.0.0r2 support this configuration? Do you have idea when GMPro will support DIAL for XT? Best Regards Juri -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030219/07bffaee/attachment.htm From dklein at netscreen.com Wed Feb 19 09:50:46 2003 From: dklein at netscreen.com (David Klein) Date: Wed, 19 Feb 2003 06:50:46 -0800 Subject: [VPN] Netscreen SCEP and iPlanet CA Message-ID: <541402FFDC56DA499E7E13329ABFEA87C6C14B@SARATOGA.netscreen.com> Yes, this is supported in Global Pro 4.0.0r2. You select "Distinguished Name" in the Device's "IKE ID's" property settings. You also have to place the Device's protected resource in a VPN definition with certs selected as Phase 1 authentication and not pre-shared secret. Support of 4.0.0DIAL for the NS5xt should be in Global Pro 4.1 due out early April, 2003. Dave Klein -----Original Message----- From: Juri.Reitsakas at Vorguvara.ee [mailto:Juri.Reitsakas at Vorguvara.ee] Sent: Wednesday, February 19, 2003 5:44 AM To: David Klein; vpn at lists.shmoo.com Subject: RE: [VPN] Netscreen SCEP and iPlanet CA Hi David, Thank you very much for information. I was able to configure boxes without SubAltName just using the dn as you describe. > set ike gateway peer-gw ip 5.5.5.5 id asn1-dn wildcard cn=gw-test,o=netscreen,c=us" main local-id[DistinguishedName] outgoing-interface ethernet1 proposal rsa-g2-3des-sha Thank you. PS! May i ask the few questions Does GlobalManager Pro 4.0.0r2 support this configuration? Do you have idea when GMPro will support DIAL for XT? Best Regards Juri -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030219/464be8db/attachment.htm From safieradam at hotmail.com Fri Feb 21 00:58:52 2003 From: safieradam at hotmail.com (safieradam) Date: Fri, 21 Feb 2003 00:58:52 -0500 Subject: [VPN] Speaking of Pseudo-VPNs References: <20030213223230.N549-100000@sisyphus.iocaine.com> <3E4D4942.6060506@moquijo.com> Message-ID: I heard they are about to start supporting PKI for authentication. Sorry, no details. While the client creates an encrypted link to the server they also sell a VPN product. For a shop highly focused on Citrix it may be worth bugging the pre-sales people for manuals and more details. Also, if you identify yourself as a consultant they will eventually let you speak to an SE. Unfortunately I delegated that research an don't remember the details since we chose to go with something else. (Gotta take you people's recommendations.) Adam ----- Original Message ----- From: "Paul Cardon" To: "Tina Bird" Cc: Sent: Friday, February 14, 2003 2:53 PM Subject: Re: [VPN] Speaking of Pseudo-VPNs > Tina Bird wrote: > > I've been asked a couple of questions recently about the Citrix Secure ICA > > protocol. Man, there's not much on line about it. Does anyone have > > information on encryption algorithms or authentication (in particular, > > does it support client-side and server-side authentication)? > > RC5 symmetric cipher > Block size: 64-bit > Rounds: 12 > Key length: 40, 64, or 128 bit > > Diffie-Helman key exchange > Key length: 1024 bit > > -paul > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From dhadwal_sandeepsingh at hotmail.com Sun Feb 23 18:25:05 2003 From: dhadwal_sandeepsingh at hotmail.com (Sandeep Dhadwal) Date: Mon, 24 Feb 2003 04:55:05 +0530 Subject: [VPN] How to calculate Key Length in DES and 3DES? Message-ID: Hi All, I would like to what is the key length in DES and 3 DES. I know that DES supports 56 bit and 3DES 168 bit keys. But I want to know how many characters we can use in both and also how to calculate the length of the characters. Regards, Sandeep Singh Dhadwal _________________________________________________________________ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail From dgoldsmith at sans.org Mon Feb 24 16:19:12 2003 From: dgoldsmith at sans.org (David Goldsmith) Date: Mon, 24 Feb 2003 16:19:12 -0500 Subject: [VPN] Cisco 3000 VPN Concentrators and RADIUS -- Assigned IPs Message-ID: <20030224161912.059a1fda.dgoldsmith@sans.org> If I create a 'Local' user on a Cisco 3000 Concentrator, I can assign it a specific IP address. The problem is there is a limited number of local users/groups that can be created on the device. If I create a 'Local' group that is authenticated via an external RADIUS server, I have an unlimited number of clients, but I have not found a way to assign static IPs. I've only been able to have them use the dynamically assigned pool. Q1) Can you configure a RADIUS server to hand back an IP address with the approved authentication request. Q2) We are using FreeRADIUS on Linux with a MySQL backend tied to the CryptoCard admin software. Assuming the answer to Q1 was yes, is it possible to do it under this specific configuration? Thanks, Dave Goldsmith From bet at rahul.net Mon Feb 24 17:19:05 2003 From: bet at rahul.net (Bennett Todd) Date: Mon, 24 Feb 2003 17:19:05 -0500 Subject: [VPN] How to calculate Key Length in DES and 3DES? In-Reply-To: References: Message-ID: <20030224221905.GD6643@rahul.net> 2003-02-23T18:25:05 Sandeep Dhadwal: > I would like to what is the key length in DES and 3 DES. I know > that DES supports 56 bit and 3DES 168 bit keys. But I want to > know how many characters we can use in both and also how to > calculate the length of the characters. Hmm. An odd question. The "length of the characters", that would be 8 bits each on most systems today, but the answer is getting a lot muzzier in some places. 8 bits per is probably the likeliest answer. When you are encoding crypto keys, though, there's an additional complication; it's generally desireable to (a) allow arbitrary combinations of bits as key data, while (b) having printable representations (which have only about 6.5 bits per character available at most). If your printable representations of your keys are in hex (i.e. the only characters that show up are 0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f, possibly with uppercase letters A-F) then you're only encoding 4 bits of key per printable character. Then a 56-bit DES key would print up as 14 characters, and a 168-bit 3DES password would print up as 42 characters. If on the other hand the straight text of the printable version is being used as a raw password for the DES or 3DES algorithm, 8 bits per character, then you only 7 characters for a 56-bit DES password and 21 for a 168-bit 3DES password --- but those passwords darned well better look like raw binary noise; if they look printable as US-ASCII then the high-order bit is always 0, i.e. you're only using a small fraction of the keyspace, i.e. the work-factor for breaking your cryptosystem is dramatically dropped. In between are representations using more than 16 (hex) characters to encode, like uuencode and Base64. Then there's the encoding as a series of short words, in the fashion of S/Key; that packs as I recall 12 bits into each 2, 3, or 4-character short word, so a 56-bit DES key would be 5 words, and a 168-bit 3DES key would be 14 words. As yet another possibility, systems where humans are expected to enter keys for such cryptosystems often ask for a passphrase, and then hash it with the likes of MD5 or SHA-1, and uses bits from the hash for the key. With such systems, it's wise to use _really_long_ passphrases; normal text english is commonly estimated to have on the very rough order of about one bit of entropy per character, so it'd be good to have a passphrase that's at least 56 characters long for single-DES, and at least 168 characters long for 3DES. Longer is better, doubling those wouldn't be imprudent. -Bennett -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20030224/993d0844/attachment.pgp From rmalayter at bai.org Mon Feb 24 19:37:50 2003 From: rmalayter at bai.org (Ryan Malayter) Date: Mon, 24 Feb 2003 18:37:50 -0600 Subject: [VPN] How to calculate Key Length in DES and 3DES? Message-ID: <792DE28E91F6EA42B4663AE761C41C2AE9B5@cliff.bai.org> There are 95 visible characters on a US keyboard, and log2(95) = 6.55, so there are about 6.57 bits of entropy per character. That means you need at least 9 characters for a single-DES key, and at least 18 characters for a tripe-DES key. (In most cases the strength of a triple-DES implementation is actually 112 bits, not 168 bits, because the best cryptanalytic attacks against triple-DES only take 2^112 operations). This presumes, of course, that you are using TRULY random strings of characters, not full words. If you use words, names, or other things you can easily remember, you are getting much lower security per character. See www.diceware.com for more information about the entropy of common words in a password. You can use a source like www.random.org as a source of random characters, but I recommend using something you control physically like dice, coin tosses, a bingo cage, whatever. Do NOT use a random number generator built into a programming language, unless it is specifically designed for secure number generation, like the one in GnuPG, Microsoft's CryptoAPI, or /dev/random on Linux. I personally use 50-character phrases, consisting only of digits 1-6, to create all of my sensitive passwords (like VPN shared secrets). I know they offer 128 bits of security because they were determined solely from 50 dice tosses I controlled with my own hands. For systems which require a key in hexadecimal format, I simply hash the list of 50 dice toss results (3215464312...) using the SHA-1 algorithm, and use the first 32 hexadecimal letters, or as many as the system can take. If the system can't take 32 characters, I convert it using the method found at http://malayter.com/dice2ascii.txt Also be careful about the method by which you enter a key into a device. You may go through all the trouble to create this massively secure key phrase, then ruin it by sending it unencrypted across a shared network to the broswer interface of your VPN device. I generally do firewall security configuration directly connected to the device with a crossover cable. Ryan Malayter Sr. Network & Database Administrator Bank Administration Institute Chicago, Illinois, USA PGP Key: http://www.malayter.com/pgp-public.txt ::::::::::::::::::::::::::::::: Only the mediocre are at their best all the time. -----Original Message----- From: Sandeep Dhadwal [mailto:dhadwal_sandeepsingh at hotmail.com] Sent: Sunday, February 23, 2003 5:25 PM To: vpn at lists.shmoo.com Subject: [VPN] How to calculate Key Length in DES and 3DES? Hi All, I would like to what is the key length in DES and 3 DES. I know that DES supports 56 bit and 3DES 168 bit keys. But I want to know how many characters we can use in both and also how to calculate the length of the characters. Regards, Sandeep Singh Dhadwal _________________________________________________________________ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From losttoy2000 at yahoo.co.uk Tue Feb 25 01:23:33 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Tue, 25 Feb 2003 06:23:33 +0000 (GMT) Subject: [VPN] How to calculate Key Length in DES and 3DES? In-Reply-To: Message-ID: <20030225062333.16550.qmail@web12701.mail.yahoo.com> DES uses 64-bit key out of which 8 bits are for parity effectively giving you 56-bits. 3DES is DES done three times (either in Encrypt-Decrypt-Encrypt mode or Encrypt-Encrypt-Encrypt mode). Each step uses a 56-bit key giving you 56x3 = 168 bits. But you really can't call it a 168-bit key. >From http://www.acmet.com/html/3des.html Let EK (I) and DK(I) represent the DES encryption and decryption of I using DES key K respectively. Each TDEA encryption/decryption operation is a compound operation of DES encryption and decryption operations. The following operations are used: TDEA encryption operation: the transformation of a 64-bit block I into a 64-bit block O that is defined as follows: O = EK3(DK2(EK1(I))). TDEA decryption operation: the transformation of a 64-bit block I into a 64-bit block O that is defined as follows: O = DK1(EK2(DK3(I))) I am not sure what you mean by --- "But I want to know how many characters we can use in both and also how to calculate the length of the characters." A character usually is a byte long i.e. 8 bits. Siddhartha --- Sandeep Dhadwal wrote: > Hi All, > > I would like to what is the key length in DES and 3 > DES. I know that DES > supports 56 bit and 3DES 168 bit keys. But I want > to know how many > characters we can use in both and also how to > calculate the length of the > characters. > > Regards, > Sandeep Singh Dhadwal > > > > > > > _________________________________________________________________ > The new MSN 8: smart spam protection and 2 months > FREE* > http://join.msn.com/?page=features/junkmail > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com From rmalayter at bai.org Tue Feb 25 14:05:34 2003 From: rmalayter at bai.org (Ryan Malayter) Date: Tue, 25 Feb 2003 13:05:34 -0600 Subject: [VPN] How to calculate Key Length in DES and 3DES? Message-ID: <792DE28E91F6EA42B4663AE761C41C2A390A21@cliff.bai.org> There are 95 visible characters on a US keyboard, and log2(95) = 6.55, so there are about 6.57 bits of entropy per character. That means you need at least 9 characters for a single-DES key, and at least 18 characters for a tripe-DES key. (In most cases the strength of a triple-DES implementation is actually 112 bits, not 168 bits, because the best cryptanalytic attacks against triple-DES only take 2^112 operations). This presumes, of course, that you are using TRULY random strings of characters, not full words. If you use words, names, or other things you can easily remember, you are getting much lower security per character. See www.diceware.com for more information about the entropy of common words in a password. You can use a source like www.random.org as a source of random characters, but I recommend using something you control physically like dice, coin tosses, a bingo cage, whatever. Do NOT use a random number generator built into a programming language, unless it is specifically designed for secure number generation, like the one in GnuPG, Microsoft's CryptoAPI, or /dev/random on Linux. I personally use 50-character phrases, consisting only of digits 1-6, to create all of my sensitive passwords (like VPN shared secrets). I know they offer 128 bits of security because they were determined solely from 50 dice tosses I controlled with my own hands. For systems which require a key in hexadecimal format, I simply hash the list of 50 dice toss results (3215464312...) using the SHA-1 algorithm, and use the first 32 hexadecimal letters, or as many as the system can take. If the system can't take 32 characters, I convert it using the method found at http://malayter.com/dice2ascii.txt Also be careful about the method by which you enter a key into a device. You may go through all the trouble to create this massively secure key phrase, then ruin it by sending it unencrypted across a shared network to the broswer interface of your VPN device. I generally do firewall security configuration directly connected to the device with a crossover cable. Ryan Malayter Sr. Network & Database Administrator Bank Administration Institute Chicago, Illinois, USA PGP Key: http://www.malayter.com/pgp-public.txt ::::::::::::::::::::::::::::::: Only the mediocre are at their best all the time. -----Original Message----- From: Sandeep Dhadwal [mailto:dhadwal_sandeepsingh at hotmail.com] Sent: Sunday, February 23, 2003 5:25 PM To: vpn at lists.shmoo.com Subject: [VPN] How to calculate Key Length in DES and 3DES? Hi All, I would like to what is the key length in DES and 3 DES. I know that DES supports 56 bit and 3DES 168 bit keys. But I want to know how many characters we can use in both and also how to calculate the length of the characters. Regards, Sandeep Singh Dhadwal From amason at mail.cebra.com Tue Feb 25 15:57:49 2003 From: amason at mail.cebra.com (Andy Mason) Date: Tue, 25 Feb 2003 15:57:49 -0500 Subject: [VPN] How to calculate Key Length in DES and 3DES? Message-ID: <5032D2C42677D411B60600805F57C55C01546BCC@mail.cebra.com> When it's back up, a fun source of random numbers is: http://www.lavarnd.org/ Andy -----Original Message----- From: Ryan Malayter [mailto:rmalayter at bai.org] Sent: February 25, 2003 2:06 PM To: vpn at lists.shmoo.com Subject: RE: [VPN] How to calculate Key Length in DES and 3DES? You can use a source like www.random.org as a source of random characters, but I recommend using something you control physically like dice, coin tosses, a bingo cage, whatever. Do NOT use a random number generator built into a programming language, unless it is specifically designed for secure number generation, like the one in GnuPG, Microsoft's CryptoAPI, or /dev/random on Linux. From hakan.palm at generic.se Wed Feb 26 04:26:38 2003 From: hakan.palm at generic.se (hakan.palm at generic.se) Date: Wed, 26 Feb 2003 10:26:38 +0100 Subject: Ang: [VPN] Cisco 3000 VPN Concentrators and RADIUS -- Assigned IPs Message-ID: Dave, have you tried the IP Address attribute, RADIUS attribute 8? That should work. Just configure your RADIUS server to return that attribute along with the rest of the attributes I guess you have configured it to return upon a successful authentication of the user. Regards, /Palm dgoldsmith at sans.org 2003-02-25 21:28 Till: vpn at lists.shmoo.com @ INTERNET Kopia: (Blank: Hakan Palm/Generic) ?rende: [VPN] Cisco 3000 VPN Concentrators and RADIUS -- Assigned IPs If I create a 'Local' user on a Cisco 3000 Concentrator, I can assign it a specific IP address. The problem is there is a limited number of local users/groups that can be created on the device. If I create a 'Local' group that is authenticated via an external RADIUS server, I have an unlimited number of clients, but I have not found a way to assign static IPs. I've only been able to have them use the dynamically assigned pool. Q1) Can you configure a RADIUS server to hand back an IP address with the approved authentication request. Q2) We are using FreeRADIUS on Linux with a MySQL backend tied to the CryptoCard admin software. Assuming the answer to Q1 was yes, is it possible to do it under this specific configuration? Thanks, Dave Goldsmith _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From losttoy2000 at yahoo.co.uk Wed Feb 26 05:00:10 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Wed, 26 Feb 2003 10:00:10 +0000 (GMT) Subject: [VPN] Cisco 3000 VPN Concentrators and RADIUS -- Assigned IPs In-Reply-To: <20030224161912.059a1fda.dgoldsmith@sans.org> Message-ID: <20030226100010.95333.qmail@web12701.mail.yahoo.com> Take a look at this. It is possible to do what you need using a RADIUS server. http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080102172.html#984410 Also, this is the way it is done using Cisco ACS, so it will give you an idea how to configure your RADIUS server: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080102172.html#984454 http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008010217e.html#2050 Basically, there is a list of attributes a RADIUS server can pass on to a user logging onto a NAS. This list includes Client IP address among a host of other parameters. Hope this helps. Siddhartha --- David Goldsmith wrote: > If I create a 'Local' user on a Cisco 3000 > Concentrator, I can assign it a > specific IP address. The problem is there is a > limited number of local > users/groups that can be created on the device. > > If I create a 'Local' group that is authenticated > via an external RADIUS > server, I have an unlimited number of clients, but I > have not found a way > to assign static IPs. I've only been able to have > them use the dynamically > assigned pool. > > Q1) Can you configure a RADIUS server to hand back > an IP address with the > approved authentication request. > > Q2) We are using FreeRADIUS on Linux with a MySQL > backend tied to the > CryptoCard admin software. Assuming the > answer to Q1 was yes, is > it possible to do it under this specific > configuration? > > Thanks, > Dave Goldsmith > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com From nharel at nettech-services.net Thu Feb 27 15:41:54 2003 From: nharel at nettech-services.net (Nate Harel) Date: Thu, 27 Feb 2003 15:41:54 -0500 Subject: [VPN] Local network neighborhood gone when VPN connects Message-ID: <4.2.0.58.20030227154144.00ff7218@mail.nettech-services.net> Hi, I set up a small VPN connction from my office to my home. At the office, I have a WinXP machine via a Netgear router. At home I have a Win2K machine again via a Netgear router. I opened up port 1723. I connect from my office, no problem. At home, my Win2K machine runs fine, I can see the local neighborhood (includes 2 other Win2K machines). However, if I check my other machines at home, the Network neighborhood, only shows my office machine on the net. It does not show any of the local machines. When I disconnect the VPN, (after a bit of a delay), I can see the network again. What is doing this? Thanks Nate ---------- Nate Harel NetTech Services 56 Pickering Street Needham, MA 02492 Tel: 1-781-559-8176 Toll Free: 1-877-567-8936 FAX: 1-877-567-8936 Email: nharel at nettech-services.com www.nettech-services.net www.onlineremotebackup.com www.nettech-hosting.com www.virtualofficephone.com ---------- ---------------------------------- Nate Harel NetTech Services 56 Pickering Street Needham, MA 02492-3198 Tel: 1-781-559-8176 Toll Free: 1-877-567-8936 FAX: 1-877-567-8936 Email: nharel at nettech-services.net www.nettech-services.net www.OnlineRemoteBackup.com www.VirtualOfficePhone.com www.nettech-hosting.com ---------------------------------- From jaykup at punkass.com Thu Feb 27 16:09:31 2003 From: jaykup at punkass.com (Jake) Date: Thu, 27 Feb 2003 15:09:31 -0600 Subject: [VPN] Fw: VPN Message-ID: <002d01c2dea4$85b30520$09521f41@jacob> ----- Original Message ----- From: "Tina Bird" To: "Jake" Sent: Thursday, February 27, 2003 1:40 PM Subject: Re: VPN pls send to vpn at lists.shmoo.com On Thu, 27 Feb 2003, Jake wrote: > Hi. I was wondering if you could help me set up a VPN to a few other computers in my area. We have a game that we play a lot, but it only works on a LAN. I was wondering if there was a way to connect a few computers to mine (windows 2000 pro) and letting us all play on a lan, when we would really be on the internet. I went into the dial-up networking properties and set up an incoming connection for a VPN and had some one set it up pretty much the same way, connected to me using the VPN but they lost all internet and wasn't able to share files, like a normal lan would be able to. I was wondering if there was a way I can get that to work, so we could play the LAN part of the game, but like I said, over the internet. Also, how could I get multiple people to connect to me? Just copy and paste the connection a few times?? It doesn't matter too much to me if they have internet, as long as they are recognized as being on the lan. If you could offer any help, that would be great. Thank you. > > - Jake - > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.458 / Virus Database: 257 - Release Date: 2/24/2003