From losttoy2000 at yahoo.co.uk Thu May 1 04:20:48 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Thu, 1 May 2003 09:20:48 +0100 (BST) Subject: [VPN] SSL VPN In-Reply-To: Message-ID: <20030501082048.75197.qmail@web12705.mail.yahoo.com> Hi, Lets examine VPN - Virtual Private Network. Virtual as in you overlay a private network over a public network. Private coz the traffic should be authentic and/or encrypted. Network - A network would be linking more than two hosts? Moreover, it should provide a host connectivity to whoever joins the network. Now looks at SSL *VPN*. Is it virtual?? Nope, you just use the public network (internet) to create a secure session. Yes, its private coz it provides for authentication and encryption. Network - Now thats my biggest grouse over calling SSL a VPN. Unlike a IPSec or any other network-layer based VPN which provides a single host or multiple hosts access to a whole network behind a VPN device, does the SSL VPN provide the same functionailty? I think SSL VPN is just a marketing gimmick, nothing more. Having said that, I would also like to admit that lots of places I sold a regular VPN device could've done by deploying plain simple SSL. But the current marketing frenzy fed the customers with IPSec VPN. (Sigh) Siddhartha --- Chris Gripp wrote: > I'd say remote control accessible from the internet > without source IP filtering is generally a bad idea > regardless of the implementation. Anyone could just > sit and bang away at a login prompt. Now, hopefully > you are using strong password policies, etc to > mitigate the risk but it still doesn't give me a > warm and fuzzy feeling knowing anyone could just > keep trying till they get bored or succeed. > > -Chris > > -----Original Message----- > From: Roger Qian [mailto:roger.qian at sholodge.com] > Sent: Wednesday, April 30, 2003 8:37 AM > To: shannong > Cc: vpn at lists.shmoo.com > Subject: RE: [VPN] SSL VPN > > > How is pcANYWHERE? smae as GoToMyPc from a security > stand point? > > Thanks, > Roger > > -----Original Message----- > From: shannong [mailto:shannong at texas.net] > Sent: Tuesday, April 29, 2003 7:27 PM > Cc: vpn at lists.shmoo.com > Subject: RE: [VPN] SSL VPN > > > From a security stand point, GoToMyPC is a really > bad idea. Providing a > third-party with unadulterated access to machines on > your internal > network is not taking your internal security very > serious. In addition > to giving that provider with access, when they get > hacked this > perpetrator will have access to your PCs as well. > GoToMyPC has HIPAA > and GLBA issues which make it a legal issue in > healthcare and finance, > respectively. > > > > > -----Original Message----- > From: vpn-admin at lists.shmoo.com > [mailto:vpn-admin at lists.shmoo.com] On > Behalf Of safieradam > Sent: Tuesday, April 29, 2003 4:03 AM > To: Tina Bird; Bartsch, Vincent > Cc: vpn at lists.shmoo.com > Subject: Re: [VPN] SSL VPN > > Check out www.GoToMyPC.com. There are several > similar products but this > one > is advertising heavily where I tend to go. > > Adam > > ----- Original Message ----- > From: "Tina Bird" > To: "Bartsch, Vincent" > Cc: > Sent: Monday, April 28, 2003 10:36 PM > Subject: Re: [VPN] SSL VPN > > > > On Mon, 28 Apr 2003, Bartsch, Vincent wrote: > > > > > I am researching everything about SSL and it's > use as a VPN > solution. I > am > > > aware of some of > > > it's limitations but I was wondering has anyone > tried this: allowed > a > SSL > > > connection to a web > > > server that lets the user to open a connection > to a terminal server. > Or > can > > > it be configured to > > > connect to a terminal server via a SSL > connection directly? Has > anyone > tried > > > this, were they > > > successful? > > > > Hi Vincent -- I don't have anything that will be > immediately useful, > but > > We had a bit of a discussion about SSL-based VPNs. > The responses to > my > > original posting included a lot of experience the > writer's had had, so > it > > might be very useful for you. > > > > http://vpn.shmoo.com -- click on SSL VPNs & Other > Misc > > > > cheers -- tbird > > > > -- > > It's not the size of the key, it's the > implementation of the > algorithm... > > > > -- Natasha > Smith > > > > http://www.shmoo.com/~tbird > > Log Analysis http://www.loganalysis.org > > VPN http://vpn.shmoo.com > > Security Alerts > http://securecomputing.stanford.edu/alert.html > > > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Yahoo! Plus For a better Internet experience http://www.yahoo.co.uk/btoffer From losttoy2000 at yahoo.co.uk Thu May 1 04:30:40 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Thu, 1 May 2003 09:30:40 +0100 (BST) Subject: [VPN] Checkpoint NG FP2 In-Reply-To: Message-ID: <20030501083040.17988.qmail@web12704.mail.yahoo.com> If you have two boxes, A and B, then both must know each other's certifying authorities. Or both must have certificates issued from the same CA. A presents a cert to B, how does B validate that its valid?? By checking with its own CA or by checking with A's CA. Get this straight if you want to use certificate based IKE. Yes, you can use pre-shared keys in Checkpoint. But using certs is definitely more secure and robust. Siddhartha --- "Raymakers, Guy" wrote: > I'm trying to setup a VPN between two Nokia IP350's > running Checkpoint NG > FP2. I've used the internal_ca to generate > certificates on both systems. > When the two system try to establish the IPsec > connection, I only see in the > logs 'invalid certificate' and certificate > validation timeouts. Any ideas > and is there a possibility to use pre-shared key's > (between two fully > managed FP2 checkpoints)? > > Many thanks, > Guy > > __________________________________________________ Yahoo! Plus For a better Internet experience http://www.yahoo.co.uk/btoffer From support at tradescan.cc Thu May 1 11:01:50 2003 From: support at tradescan.cc (support at tradescan.cc) Date: Thu, 1 May 2003 10:01:50 -0500 Subject: [VPN] Win2K RRAS and Tiny Soft Personal Firewall Message-ID: <002301c30ff2$98880860$326fa8c0@office3> I've got a PPTP VPN established between 2 Win2K machines using RRAS. I'd like to run TinySoft Personal Firewall on the VPN server but when I do I can't make the needed connections over the VPN and I can't get TinySoft to tell me what's trying to connect. Anyone else tried this? John Guynn System Administrator support at tradersparadise.com www.tradersparadise.com From wurzuh at northnet.org Thu May 1 16:10:27 2003 From: wurzuh at northnet.org (David Wurzburg) Date: Thu, 1 May 2003 16:10:27 -0400 Subject: [VPN] First VPN Message-ID: <200305011610.AA2106720450@northnet.org> Hey all, I'm attempting to set up a VPN. The host is a 2000 server op system - and is connected to a LAN. I'm running into problems though. Our fractional T1 enters the building on an ADTRAN voice/IP box. It then is directed to a router, and continues to be distributed over the LAN. I've tried a few times to configure VPN - all failures. If I use the make a new connection wizard for the host, I get a certification error when trying to connect from a client. If I use the Rmote access and Routing wizard for the host, I get a no answer when trying to connect from a client. Do I need two seperate NICs for the server? or what am I doing wrong? Do I need to purchase/create a certificate, or will it work without one? Thanks for your help, Dave From kent at dalliesin.com Thu May 1 17:38:14 2003 From: kent at dalliesin.com (Kent Dallas) Date: Thu, 1 May 2003 17:38:14 -0400 Subject: [VPN] SSL VPN In-Reply-To: <20030501082048.75197.qmail@web12705.mail.yahoo.com> Message-ID: >Siddhartha Jain wrote: > >Lets examine VPN - Virtual Private Network. > >Virtual as in you overlay a private network over a >public network. >Private coz the traffic should be authentic and/or >encrypted. >Network - A network would be linking more than two >hosts? Moreover, it should provide a host connectivity >to whoever joins the network. > >Now looks at SSL *VPN*. > >Is it virtual?? Nope, you just use the public network >(internet) to create a secure session. > >Yes, its private coz it provides for authentication >and encryption. > >Network - Now thats my biggest grouse over calling SSL >a VPN. Unlike a IPSec or any other network-layer based >VPN which provides a single host or multiple hosts >access to a whole network behind a VPN device, does >the SSL VPN provide the same functionailty? > >I think SSL VPN is just a marketing gimmick, nothing >more. Having said that, I would also like to admit >that lots of places I sold a regular VPN device >could've done by deploying plain simple SSL. But the >current marketing frenzy fed the customers with IPSec >VPN. (Sigh) > >Siddhartha Personally, I have always been a bit irritated by such pedantic definitions of VPN. I do not acknowledge any industry standard definition of VPN, and grant everyone their opinions (as I hope they will grant mine). I note that our gracious host and moderator's definition (on the homepage) is quite liberal. First, in terms of "virtual", I would be more willing to accept the definition as meaning "not physical". The implication is that it is built across a shared network (perhaps public), but the referenced network isn't "hardwired" on the underlying physical network. In Siddhartha's evaluation of SSL's fit for "virtual", the criteria of "session" seems limited to where it is in the stack, versus the fact that it is setup and torn down as necessary, much like many IPsec applications and implementations (which appear just as "virtual" to me). Second, privacy should not be defined as authentication (user, host, data, or packet) or encryption. As a simple refutation, a physical network can be private without either authentication or encryption. Encryption is simply a common tool to deliver privacy across a shared network. Authentication is another security concept altogether, but can also use cryptography as a tool to achieve it (but in and of itself, is different than privacy). Third, a network need not be more than the ability to connect two hosts. As you may observe, I am willing to allow SSL to fall within my technical definition of VPN. However, by no means do I equate IPsec with SSL. The significant technical differences have been discussed sufficiently well here on the list recently. When I talk about VPN with clients, I avoid any technical definitions. To understand why, let me excerpt from a document I wrote a few years back, but is still relevent: ***EXCERPT*** Many in the industry attempt to define a Virtual Private Network based on the technology that delivers their particular solution. But such a method of developing the definition often fails to address the underlying reason such a solution may be used ? to solve a business problem. VPNs only exist to solve such problems, so a proper development of a definition should start with an understanding of the business problems they address. The term "Virtual Private Network" and the acronym VPN have been around since the mid-80s, and was first used by the Sprint Corporation. However, Sprint's use refers to their service of providing feature-rich multi-location circuit switched voice and data services to large corporate enterprises. Further, many other public data network technologies could fall under the description of a VPN. Services based on protocols such as X.25, Frame Relay, and Asynchronous Transfer Mode (ATM) all could be considered VPN services. For the purposes of this document, the acronym VPN will refer to transport of digital data across a shared or public network infrastructure, in a manner that provides characteristics of a private network (security, performance, and control) but at a lower cost. [portions omitted related to IP versus Frame Relay and ATM, limiting further reference of VPN's to those using IP at the network layer] In the final analysis, corporate enterprises considering VPN solutions only do so for one reason ? to solve a business problem. Yet any business problem solved with a VPN could be solved with a truly private network solution. The choice to use a VPN ultimately comes down to the VPN solution yielding the most cost-effective solution to a particular business problem(s). Although there may be many business problems that a VPN could address, the vast majority of customer applications fall into three broad categories ? secure remote access; secure site to site communication (internal to the enterprise), and secure business to business communication (external to the enterprise). ***END OF EXCERPT*** I later define "secure remote access" as connecting a trusted user to a protected application, host, or (IP) network; and secure site-to-site as connecting a trusted host or (IP) network to another trusted host or (IP) network. I won't go into my definition of secure business-to-business VPN here, as it gets even more complicated. While I agree that the definition of VPN gets narrowed or widened by vendors for marketing reasons, such artificial limits aren't in the customer's interests, per se, and only serve to cloud the business issues (as Siddhartha seems to admit). Regards, Kent Dallas From gwc at capehassoc.com Thu May 1 18:04:25 2003 From: gwc at capehassoc.com (George W. Capehart) Date: Thu, 1 May 2003 18:04:25 -0400 Subject: [VPN] Checkpoint NG FP2 In-Reply-To: <20030501083040.17988.qmail@web12704.mail.yahoo.com> References: <20030501083040.17988.qmail@web12704.mail.yahoo.com> Message-ID: <200305011804.48923.gwc@capehassoc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 01 May 2003 04:30 am, Siddhartha Jain wrote: > If you have two boxes, A and B, then both must know > each other's certifying authorities. Or both must have > certificates issued from the same CA. A presents a > cert to B, how does B validate that its valid?? By > checking with its own CA or by checking with A's CA. > Get this straight if you want to use certificate based > IKE. > > Yes, you can use pre-shared keys in Checkpoint. But > using certs is definitely more secure and robust. IFF: o The CA hierarchy is traversed to the root CA o You trust/believe the root CA o The CAs maintain up-to-date CRLs and they are checked o etc. Certs *may* be more secure and robust. See http://www.counterpane.com/pki-risks.pdf and the IETF PKIX mailing list, etc. for "mitigating factors." When used and managed inappropriately, it is very easy to get a false sense of security from PKIs . . . It's not easy to use certs securely. |-} /g - -- George W. Capehart "With sufficient thrust, pigs fly just fine . . ." -- RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+sZn3PhMbfSg3fpARAmnAAJwIkOuyUvgcXZkFh/Esr4evzKdEEACg+lml flJfaph/gD35yuk40hBaW4g= =w4GJ -----END PGP SIGNATURE----- From safieradam at hotmail.com Fri May 2 04:49:30 2003 From: safieradam at hotmail.com (safieradam) Date: Fri, 2 May 2003 04:49:30 -0400 Subject: [VPN] SSL VPN References: <003101c30eaf$31625760$0101a8c0@ASTEROID> Message-ID: I agree and do not trust it. But GoToMyPC is an interesting model for research and any resulting analysis should include the issues. There are plenty of other programs that do the same thing without the middleman but do you really trust them if you can't see/understand the source code or know and trust the vendor? GoToMyPC is just being pushed real hard in advertising. The ease of setting these things up and the likely emergence of less "benevolent" versions makes host based IDS more and more attractive. BTW, Vincent, you should also be looking at TLS, the "standard" and Microsoft blessed follow on to SSL. Adam ----- Original Message ----- From: "shannong" Cc: Sent: Tuesday, April 29, 2003 8:26 PM Subject: RE: [VPN] SSL VPN > From a security stand point, GoToMyPC is a really bad idea. Providing a > third-party with unadulterated access to machines on your internal > network is not taking your internal security very serious. In addition > to giving that provider with access, when they get hacked this > perpetrator will have access to your PCs as well. GoToMyPC has HIPAA > and GLBA issues which make it a legal issue in healthcare and finance, > respectively. > > From support at tradescan.cc Fri May 2 08:46:18 2003 From: support at tradescan.cc (support at tradescan.cc) Date: Fri, 2 May 2003 07:46:18 -0500 Subject: [VPN] First VPN References: <200305011610.AA2106720450@northnet.org> Message-ID: <000801c310a8$d3db2350$326fa8c0@office3> ----- Original Message ----- > I'm attempting to set up a VPN. The host is a 2000 server op system - and is connected to a LAN. I'm running into problems though. Our fractional T1 enters the building on an ADTRAN voice/IP box. It then is directed to a router, and continues to be > distributed over the LAN. > > I've tried a few times to configure VPN - all failures. If I use the make a new connection wizard for the host, I get a certification error when trying to connect > from a client. If I use the Rmote access and Routing wizard for the host, I get a no answer when trying to connect from a client. > > Do I need two seperate NICs for the server? or what am I doing wrong? Do I need to purchase/create a certificate, or will it work without one? > > Thanks for your help, > Dave Dave, You can do PPTP with Win2K and not use certtificates...provided PPTP fits your needs. As far as no answer, is your VPN server behind a firewall? If so is port 1723 forwarded to your server? Also you'll need GRE support. HTH, John Guynn System Administrator support at tradersparadise.com www.tradersparadise.com From rmalayter at bai.org Fri May 2 14:48:43 2003 From: rmalayter at bai.org (Ryan Malayter) Date: Fri, 2 May 2003 13:48:43 -0500 Subject: [VPN] Win2K RRAS and Tiny Soft Personal Firewall Message-ID: <792DE28E91F6EA42B4663AE761C41C2A390D16@cliff.bai.org> Most of the freeware versions of person firewalls do not allow outbound VPN connections. You might need to buy their pro version. AS fot what ports and protocols PPTP uses, you can get that information many places on the web. Basically, you need to allow these *outbound* from each device, and inbound on the PPTP server: 1) TCP port 1723 2) IP protocol 47 (GRE). Ryan Malayter Sr. Network & Database Administrator Bank Administration Institute Chicago, Illinois, USA PGP Key: http://www.malayter.com/pgp-public.txt ::::::::::::::::::::::::::::::: The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries. -Sir Winston Churchill -----Original Message----- From: support at tradescan.cc [mailto:support at tradescan.cc] Sent: Thursday, May 01, 2003 10:02 AM To: vpn at lists.shmoo.com Subject: [VPN] Win2K RRAS and Tiny Soft Personal Firewall I've got a PPTP VPN established between 2 Win2K machines using RRAS. I'd like to run TinySoft Personal Firewall on the VPN server but when I do I can't make the needed connections over the VPN and I can't get TinySoft to tell me what's trying to connect. Anyone else tried this? John Guynn System Administrator support at tradersparadise.com www.tradersparadise.com _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From djdawso at qwest.com Fri May 2 18:09:54 2003 From: djdawso at qwest.com (Dana J. Dawson) Date: Fri, 02 May 2003 17:09:54 -0500 Subject: [VPN] VPN on Cisco PIX References: <005d01c30f80$3b9f44f0$0101a8c0@ASTEROID> Message-ID: <3EB2ECB2.2030509@qwest.com> I tested this in our lab and it does indeed behave as shannong describes below. Thanks for the clarification! Dana shannong wrote: > The [sysopt connection permit-pptp] affects what things the VPDN client > can access after a successful session is established, which means > everything. With out that sysopt command, you would need to define what > things an VPN client can access with ACLs as the usual rule of deny all > would be in effect when accessing higher security interfaces. > > That sysopt command does not affect what addresses can connect to the > Pix for PPTP sessions. Also, ACLs applied to a Pix's interface do not > affect traffic destined to the Pix itself, such as establishing a PPTP > session. That's why you use the commands icmp, telnet, ssh, etc to > affect who/what can talk to the Pix because normal ACLs on interfaces to > don't stop/allow that traffic destined to the Pix. > > Filtering the source address of those terminating VPN tunnels seemed to > be the question asked. If that is the question, it cannot be done on > the Pix itself. An ACL would need to be created on a device in front of > the Pix to limit who could connect to GRE/1723. > > > -----Original Message----- > From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On > Behalf Of Dana J. Dawson > Sent: Wednesday, April 30, 2003 12:10 PM > To: vpn at lists.shmoo.com > Subject: Re: [VPN] VPN on Cisco PIX > > Actually, you can, but you have to remove the "sysopt connection > permit-pptp" > command that is usually used. In this case, you have to permit all the > incoming > traffic to the PIX with an access-list (or conduit, I suppose), > including the > PPTP traffic (GRE and TCP/1723). Since you're using an access-list to > allow > that traffic, you can also restrict the source, which is what you want. > > HTH > > Dana > -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Communications (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." From Carlos at morillo.us Fri May 2 22:34:28 2003 From: Carlos at morillo.us (Carlos A. Morillo) Date: Fri, 2 May 2003 22:34:28 -0400 Subject: [VPN] End-to-End IP Proto 50 Check Message-ID: <004501c3111c$cb7c66f0$650610ac@csic.com> Which tool can I use to troubleshoot/verify this? I'm running a Cisco Lan-to-Lan VPN using a 3030 Concentrator at the corporate office and PIX501 at the remote offices over broadband, mostly dsl. Thanks -- Carlos -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030502/e34e7724/attachment.htm From Carlos.Morillo at CottonStates.com Sat May 3 11:15:09 2003 From: Carlos.Morillo at CottonStates.com (Morillo, Carlos) Date: Sat, 3 May 2003 11:15:09 -0400 Subject: [VPN] End-to-end IPSEC check Message-ID: Are there any good tools that can help me check end-to-end IPSEC? I ran a Cisco VPN using 3000 concentrators at the corporate office and PIX501 at the 235 remote locations (over broadband, mostly DSL) The problem I'm experiencing is definably related to network connectivity... Everywhere there is a storm I loose a fairly large number of connections, the concentrator can complete phase I but it never receives any phase II data, so it keeps retrying.. Thanks -- Carlos Morillo Atlanta, GA From TSimons at Delphi-Tech.com Sun May 4 21:21:33 2003 From: TSimons at Delphi-Tech.com (TSimons at Delphi-Tech.com) Date: Sun, 4 May 2003 21:21:33 -0400 Subject: [VPN] End-to-end IPSEC check Message-ID: <880E60DA7286AB4CBEECB01B169A63BD0379D4F4@NJ-2K-Email1.delphi-tech.com> I'm not sure if this affects Cisco to Cisco VPNs. I know it greatly affected Cisco to Symantec Enterprise Firewall VPNs on re-negotiation. The first IKE/IPSEC negotiation would go through fine. ...subsequent re-negotiations always failed. HANDLE UNEXPECTED CISCO BUGS | Tom Lancaster As fantastic as Cisco's IOS is, it's not completely bug-free. And unfortunately, these bugs often occur in the most complicated configurations like IPsec implementations. One particularly annoying issue that plagues several versions happens when IOS attempts to set up an encrypted tunnel, but the tunnel fails. At some point, the information in the router's memory doesn't get cleared when it should and this prevents the success of future attempts. This can drive technicians crazy, because the configuration was working in the past, and suddenly seems not to be working. Read the entire tip here: http://www.searchNetworking.com/tip/1,289483,sid7_gci881071,00.html This is fixed in PIX IOS v6.3(1) -----Original Message----- From: Morillo, Carlos [mailto:Carlos.Morillo at CottonStates.com] Sent: Saturday, May 03, 2003 11:15 AM To: 'vpn at lists.shmoo.com' Subject: [VPN] End-to-end IPSEC check Are there any good tools that can help me check end-to-end IPSEC? I ran a Cisco VPN using 3000 concentrators at the corporate office and PIX501 at the 235 remote locations (over broadband, mostly DSL) The problem I'm experiencing is definably related to network connectivity... Everywhere there is a storm I loose a fairly large number of connections, the concentrator can complete phase I but it never receives any phase II data, so it keeps retrying.. Thanks -- Carlos Morillo Atlanta, GA _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From support at tradescan.cc Tue May 6 11:00:40 2003 From: support at tradescan.cc (support at tradescan.cc) Date: Tue, 6 May 2003 10:00:40 -0500 Subject: [VPN] Win2K RRAS and firewalls Message-ID: <000c01c313e0$42d84e60$326fa8c0@office3> The more I look at my current VPN solution the more I come to realize that I need some sort of firewall software for my Win2K server running RRAS. Let me explain a little and hopefully someone here can come up with a suggestion: I've built a Win2K Server box that will go off site as an "access server" for the subscription based service my company provides. Our on site Win2K Pro data server makes the outgoing call to the VPN server to establish a PPTP tunnel to pass data (in this case multicast data). Once I send my box off site, I have to consider it a hostile entity because it will be plugged into a network that I have no control over. I would much rather block "stuff" on the VPN server (it's only job is to handle VPN traffic) than block "stuff" on my data server as it provides data to both VPN and non-VPN customers. Also by blocking from the VPN server side, I waste as little bandwidth as possible. Does anyone make a software firewall package that works and plays well with RRAS servers? John Guynn System Administrator support at tradersparadise.com www.tradersparadise.com From dgoldsmith at sans.org Tue May 6 11:57:41 2003 From: dgoldsmith at sans.org (David Goldsmith) Date: 06 May 2003 11:57:41 -0400 Subject: [VPN] Cisco VPN and Proxy ARP Message-ID: <1052236661.1275.35.camel@dev.g0ldsmith.com> I have a working setup using a Cisco 3000 concentrator and Cisco VPN clients. Users who activate the the VPN Client can communicate with any 'internal' servers that the firewall allows. While clients are connected, the internal servers can also communicate with the VPN Clients tunneled IP address. What I am trying to do is to allow two VPN clients to talk directly to each other. I have configured a 'Tunnel Default Gateway' which points to the internal firewall connected to the same network segment as the internal private interface on the VPN concentrator. The VPN private network segment is 192.168.100.0/24. The internal firewall is 192.168.100.1 and the private VPN interface is 192.168.100.2. If Client A (192.168.100.128) pings Client B (192.168.100.140), I see ICMP echo requests that are sent from .128 to the .140 IP address but that use the firewall's MAC address as the destination MAC address. Is this method of communication (client-to-client) possible and if so, what configuration option(s) do I need to change? Thanks, David Goldsmith From dgoldsmith at sans.org Tue May 6 15:30:11 2003 From: dgoldsmith at sans.org (David Goldsmith) Date: 06 May 2003 15:30:11 -0400 Subject: [VPN] Cisco VPN and Proxy ARP In-Reply-To: <1052236661.1275.35.camel@dev.g0ldsmith.com> References: <1052236661.1275.35.camel@dev.g0ldsmith.com> Message-ID: <1052249412.1274.43.camel@dev.g0ldsmith.com> Just got off the phone with Cisco TAC. This is a known bug in the proxy ARP code. It was discovered in the 3.6.7A firmware and is still a bug in 4.0. The 4.1 firmware includes a fix and will be out shortly. Dave On Tue, 2003-05-06 at 11:57, David Goldsmith wrote: > I have a working setup using a Cisco 3000 concentrator and Cisco VPN > clients. Users who activate the the VPN Client can communicate with any > 'internal' servers that the firewall allows. While clients are > connected, the internal servers can also communicate with the VPN > Clients tunneled IP address. > > What I am trying to do is to allow two VPN clients to talk directly to > each other. I have configured a 'Tunnel Default Gateway' which points > to the internal firewall connected to the same network segment as the > internal private interface on the VPN concentrator. > > The VPN private network segment is 192.168.100.0/24. The internal > firewall is 192.168.100.1 and the private VPN interface is > 192.168.100.2. If Client A (192.168.100.128) pings Client B > (192.168.100.140), I see ICMP echo requests that are sent from .128 to > the .140 IP address but that use the firewall's MAC address as the > destination MAC address. > > Is this method of communication (client-to-client) possible and if so, > what configuration option(s) do I need to change? > > Thanks, > David Goldsmith > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn From george.colt at hq.doe.gov Wed May 7 10:27:00 2003 From: george.colt at hq.doe.gov (George Colt) Date: 07 May 2003 10:27:00 -0400 Subject: [VPN] Plethora VPN In-Reply-To: <20030507120010.54325.84942.Mailman@sisyphus.iocaine.com> References: <20030507120010.54325.84942.Mailman@sisyphus.iocaine.com> Message-ID: <1052317620.21262.18.camel@bambam> Has anyone had any experience with the Plethora VPN? http://www.plethoratech.com/ -george From iqbal.g at net4india.net Wed May 7 11:11:53 2003 From: iqbal.g at net4india.net (iqbal) Date: Wed, 07 May 2003 20:41:53 +0530 Subject: [VPN] cisco stats Message-ID: <3EB92239.A4D9A1E1@net4india.net> Hi I am trying to locate some stats as to how many IPSEC tunnels etc a router can handle eg a 3660 as opposed to 7 series, also how does this relate to a packets per sec processed details given by cisco...if there is any relation Thanks Iqbal From GANDAVR at amtrak.com Thu May 8 11:50:15 2003 From: GANDAVR at amtrak.com (Gandavarapu, Ravi) Date: Thu, 8 May 2003 11:50:15 -0400 Subject: [VPN] Beginer to VPN Message-ID: <6884E1673453124EAE6D38A3A87C3B5701D837F0@wasexch01.corp.nrpc> Hi, I am beginer to VPN. I have Netgear FVS318 router and DSL connection at home. Is it possible to connect from my work to home through VPN. If possible how can I connect ? I run WIN2K server at home and professional at Work. At work I am behind firewalls. I appreciate your help. Thank You, Ravi Gandavarapu. (202) 906-4795 From cgripp at automotive.com Thu May 8 19:24:12 2003 From: cgripp at automotive.com (Chris Gripp) Date: Thu, 8 May 2003 16:24:12 -0700 Subject: [VPN] Cisco VPN and Proxy ARP Message-ID: Couldn't you workaround by providing the 2 clients seperate IP networks and then having routes to those on a central router on your network? The packet flow would be: client1--->vpn--->router--->vpn--->client2 -Chris -----Original Message----- From: David Goldsmith [mailto:dgoldsmith at sans.org] Sent: Tuesday, May 06, 2003 12:30 PM To: vpn at lists.shmoo.com Subject: Re: [VPN] Cisco VPN and Proxy ARP Just got off the phone with Cisco TAC. This is a known bug in the proxy ARP code. It was discovered in the 3.6.7A firmware and is still a bug in 4.0. The 4.1 firmware includes a fix and will be out shortly. Dave On Tue, 2003-05-06 at 11:57, David Goldsmith wrote: > I have a working setup using a Cisco 3000 concentrator and Cisco VPN > clients. Users who activate the the VPN Client can communicate with any > 'internal' servers that the firewall allows. While clients are > connected, the internal servers can also communicate with the VPN > Clients tunneled IP address. > > What I am trying to do is to allow two VPN clients to talk directly to > each other. I have configured a 'Tunnel Default Gateway' which points > to the internal firewall connected to the same network segment as the > internal private interface on the VPN concentrator. > > The VPN private network segment is 192.168.100.0/24. The internal > firewall is 192.168.100.1 and the private VPN interface is > 192.168.100.2. If Client A (192.168.100.128) pings Client B > (192.168.100.140), I see ICMP echo requests that are sent from .128 to > the .140 IP address but that use the firewall's MAC address as the > destination MAC address. > > Is this method of communication (client-to-client) possible and if so, > what configuration option(s) do I need to change? > > Thanks, > David Goldsmith > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From DShaw at exceed.com.au Thu May 8 20:17:37 2003 From: DShaw at exceed.com.au (Dale Shaw) Date: Fri, 9 May 2003 10:17:37 +1000 Subject: [VPN] SonicWall - Passing DNS settings to VPN clients? Message-ID: Hi, I'm struggling to work out how (if at all) I can automagically configure a SonicWall VPN client with things like DNS and WINS settings (i.e. pointing the client at a DNS server on the 'LAN' side of the SonicWall). With Cisco's kit, the gateway pushes config through to the client. With Microsoft's client, you have a 'connection' to configure specific network settings on. The SonicWall/SafeNet client doesn't talk about it and for the life of me I can't find any reference to it in the web management interface. Am I missing something obvious or do people just hard-code these settings on the underlying connection profile (be it a modem dialup to an ISP, or whatever). I'm running Windows 2000 Professional on the client side and the latest firmware on the SonicWall. Cheers, Dale From area_20 at hotmail.com Fri May 9 10:34:08 2003 From: area_20 at hotmail.com (Dain .) Date: Fri, 09 May 2003 14:34:08 +0000 Subject: [VPN] Checkpoint NG FP3 and Firewall Module Message-ID: Hi all, I have recently installed a Checkpoint cluster and a Management machine running NG FP3 but by accident installed the Firewall module onto the W2K box as well as the management clients. We only noticed this when the firewall wouldn't log to the admin box. We have managed to stop the firewall process on the management PC and the logging now works OK. The question is, is there any way of removing the firewall component whilst just leaving the management clients, or do we need to completely re-install the box ? If we can remove the process, how would you recommend backing up the config ? Thanks in advance for any light you could shed on this ..... _________________________________________________________________ Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger From spedersen at axcelerant.com Fri May 9 11:53:21 2003 From: spedersen at axcelerant.com (Scott Pedersen) Date: Fri, 9 May 2003 08:53:21 -0700 Subject: [VPN] SonicWall - Passing DNS settings to VPN clients? Message-ID: <4EBB5C35607E7F48B4AE162D956666EF025464D8@guam.corp.axcelerant.com> Although I have yet to test it, the latest client, SonicWALL Global VPN Client 1.0 released in March will do this. -----Original Message----- From: Dale Shaw [mailto:DShaw at exceed.com.au] Sent: Thursday, May 08, 2003 5:18 PM To: vpn at lists.shmoo.com Subject: [VPN] SonicWall - Passing DNS settings to VPN clients? Hi, I'm struggling to work out how (if at all) I can automagically configure a SonicWall VPN client with things like DNS and WINS settings (i.e. pointing the client at a DNS server on the 'LAN' side of the SonicWall). With Cisco's kit, the gateway pushes config through to the client. With Microsoft's client, you have a 'connection' to configure specific network settings on. The SonicWall/SafeNet client doesn't talk about it and for the life of me I can't find any reference to it in the web management interface. Am I missing something obvious or do people just hard-code these settings on the underlying connection profile (be it a modem dialup to an ISP, or whatever). I'm running Windows 2000 Professional on the client side and the latest firmware on the SonicWall. Cheers, Dale _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From TKoopman at SonicWALL.com Fri May 9 21:18:22 2003 From: TKoopman at SonicWALL.com (TKoopman at SonicWALL.com) Date: Fri, 9 May 2003 18:18:22 -0700 Subject: [VPN] SonicWall - Passing DNS settings to VPN clients? Message-ID: <0E77420A23C7564892C5958DCE779C1F0BF5D1@us0exb02.us.sonicwall.com> The new SonicWALL Global VPN client supports these features and more. Check it out at www.sonicwall.com Best Regards TODD KOOPMAN Systems Engineer SonicWALL -----Original Message----- From: Dale Shaw [mailto:DShaw at exceed.com.au] Sent: Thursday, May 08, 2003 5:18 PM To: vpn at lists.shmoo.com Subject: [VPN] SonicWall - Passing DNS settings to VPN clients? Hi, I'm struggling to work out how (if at all) I can automagically configure a SonicWall VPN client with things like DNS and WINS settings (i.e. pointing the client at a DNS server on the 'LAN' side of the SonicWall). With Cisco's kit, the gateway pushes config through to the client. With Microsoft's client, you have a 'connection' to configure specific network settings on. The SonicWall/SafeNet client doesn't talk about it and for the life of me I can't find any reference to it in the web management interface. Am I missing something obvious or do people just hard-code these settings on the underlying connection profile (be it a modem dialup to an ISP, or whatever). I'm running Windows 2000 Professional on the client side and the latest firmware on the SonicWall. Cheers, Dale _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From friedberg at comets.com Sun May 11 16:41:31 2003 From: friedberg at comets.com (Carl Friedberg) Date: Sun, 11 May 2003 16:41:31 -0400 Subject: [VPN] Checkpoint NG FP3 and Firewall Module Message-ID: <01KVRT5UN9XU005CUK@mail1.fwd.com> I hope you have enterprise level Checkpoint support available. Personally, I would recommend you research alternatives to NG. I personally suspect those letters really mean Not Good (quality of support, code, etc). Just my 2 cents. I have been involved with similar types of issues (FP3 upgrade failed, thereafter the system is fundamentally unstable, can't apply FP2 paches, can't upgrade to FP3). I wonder if it is just the cluster with a management station that has these problems, or if they are more widespread. Interestingly enough, the FW to FW VPN seems to work well... Have you looked into a Cisco PIX? Or, if you are technically capable, would IPTables/Netfilter (Linux) or BSD IPFilter work for you? with FreeSWAN for VPN? or CIPE? BTW, is this a SecuRemote question? If not, you should join FirewallWizards or similar and post there; there are probably more people who are FW1 experts. Carl -----Original Message----- From: Dain . [mailto:area_20%hotmail.com at fwd.com] Sent: Friday, May 09, 2003 10:34 AM To: vpn Subject: [VPN] Checkpoint NG FP3 and Firewall Module Hi all, I have recently installed a Checkpoint cluster and a Management machine running NG FP3 but by accident installed the Firewall module onto the W2K box as well as the management clients. We only noticed this when the firewall wouldn't log to the admin box. We have managed to stop the firewall process on the management PC and the logging now works OK. The question is, is there any way of removing the firewall component whilst just leaving the management clients, or do we need to completely re-install the box ? If we can remove the process, how would you recommend backing up the config ? Thanks in advance for any light you could shed on this ..... _________________________________________________________________ Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From bbcstar at 21cn.com Mon May 12 03:33:45 2003 From: bbcstar at 21cn.com (beboy) Date: Mon, 12 May 2003 15:33:45 +0800 Subject: [VPN] VPN issue: Netscreen 5XP and Windows XP client Message-ID: <000e01c31858$d7324350$e601010a@alchipge> I have Netscreen 5XP (N5) worked as a firewall in a LAN. On the other site, some Windows XP (WinXP) users use ADSL to connect to Internet. Basically, I just want to have WinXP connect to the LAN by VPN set on N5. WinXP has Netscreen Remote client installed, all things related to VPN is set correctly on N5 (the other machines can connect the LAN properly). The strange thing is that one of the client with WinXP cannot go through anyway. The client log keep complaining "13:15:58.030 My Connections\VPN - Initiating IKE Phase 1 (IP ADDR=xx.xx.xx.xx) 13:15:58.077 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID) 13:16:13.952 My Connections\VPN - message not received! Retransmitting! 13:16:13.952 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (Retransmission) 13:16:29.202 My Connections\VPN - message not received! Retransmitting! 13:16:29.202 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (Retransmission) 13:16:44.202 My Connections\VPN - message not received! Retransmitting! 13:16:44.202 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (Retransmission) 13:16:59.202 My Connections\VPN - Exceeded 3 IKE SA negotiation attempts" Any hints for this? What should I do on the client or server site? Do we have a troubleshooting process for this kind of issue? Thanks a lot! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030512/4fb4cad0/attachment.htm From lm at intrinsic.it Tue May 13 08:19:22 2003 From: lm at intrinsic.it (Luigi Mori) Date: Tue, 13 May 2003 14:19:22 +0200 Subject: [VPN] VPN issue: Netscreen 5XP and Windows XP client Message-ID: >I have Netscreen 5XP (N5) worked as a firewall in a LAN. On the >other site, some Windows XP (WinXP) users use ADSL to connect to >Internet. Basically, I just want to have WinXP connect to the LAN by >VPN set on N5. WinXP has Netscreen Remote client installed, all >things related to VPN is set correctly on N5 (the other machines can >connect the LAN properly). The strange thing is that one of the >client with WinXP cannot go through anyway. The client log keep >complaining > >"13:15:58.030 My Connections\VPN - Initiating IKE Phase 1 (IP >ADDR=xx.xx.xx.xx) >13:15:58.077 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (SA, KE, >NON, ID, VID, VID, VID, VID) >13:16:13.952 My Connections\VPN - message not received! Retransmitting! >13:16:13.952 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (Retransmission) >13:16:29.202 My Connections\VPN - message not received! Retransmitting! >13:16:29.202 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (Retransmission) >13:16:44.202 My Connections\VPN - message not received! Retransmitting! >13:16:44.202 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (Retransmission) >13:16:59.202 My Connections\VPN - Exceeded 3 IKE SA negotiation attempts" > >Any hints for this? What should I do on the client or server site? >Do we have a troubleshooting process for this kind of issue? Thanks >a lot! Did you check the event log on the NetScreen side ? You can enable a verbose mode using the command "debug ike basic". To view the logs you can use the command "get dbuf stream". The NetScreen GW is not responding to the first message of Phase1. I think there is a config mismatch between NS-Remote and the GW. Regards, lm From losttoy2000 at yahoo.co.uk Tue May 13 09:17:52 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Tue, 13 May 2003 14:17:52 +0100 (BST) Subject: [VPN] Checkpoint NG FP3 and Firewall Module In-Reply-To: Message-ID: <20030513131752.38284.qmail@web12706.mail.yahoo.com> Look at http://www.phoneboy.com/fom-serve/cache/149.html Simply backup all your config files, reinstall your Management module+Fw-GUI and then restore the backed-up files. That should so it. --- "Dain ." wrote: > Hi all, > > I have recently installed a Checkpoint cluster and a > Management machine > running NG FP3 but by accident installed the > Firewall module onto the W2K > box as well as the management clients. We only > noticed this when the > firewall wouldn't log to the admin box. > We have managed to stop the firewall process on the > management PC and the > logging now works OK. The question is, is there any > way of removing the > firewall component whilst just leaving the > management clients, or do we need > to completely re-install the box ? If we can remove > the process, how would > you recommend backing up the config ? > > Thanks in advance for any light you could shed on > this ..... > > _________________________________________________________________ > Stay in touch with absent friends - get MSN > Messenger > http://www.msn.co.uk/messenger > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ Yahoo! Plus For a better Internet experience http://www.yahoo.co.uk/btoffer From Munix-1 at pacbell.net Thu May 15 00:00:44 2003 From: Munix-1 at pacbell.net (Jose Muniz) Date: Wed, 14 May 2003 21:00:44 -0700 Subject: [VPN] SonicWall - Passing DNS settings to VPN clients? References: <0E77420A23C7564892C5958DCE779C1F0BF5D1@us0exb02.us.sonicwall.com> Message-ID: <3EC310EC.9010401@pacbell.net> I will have to rather recommend a NetScreen firewall. It supports the std. for passing ip address info to the client, incluiding DNS, WINS even ip for the virtual adaptor etc.. via mode-config and xauth for user authentication... next time dont buy your security gear from ToysRus get a real firewall :-P jose TKoopman at SonicWALL.com wrote: >The new SonicWALL Global VPN client supports these features and more. Check it out at www.sonicwall.com > >Best Regards > >TODD KOOPMAN >Systems Engineer >SonicWALL > >-----Original Message----- >From: Dale Shaw [mailto:DShaw at exceed.com.au] >Sent: Thursday, May 08, 2003 5:18 PM >To: vpn at lists.shmoo.com >Subject: [VPN] SonicWall - Passing DNS settings to VPN clients? > > >Hi, > >I'm struggling to work out how (if at all) I can automagically configure >a SonicWall VPN client with things like DNS and WINS settings (i.e. >pointing the client at a DNS server on the 'LAN' side of the SonicWall). >With Cisco's kit, the gateway pushes config through to the client. With >Microsoft's client, you have a 'connection' to configure specific >network settings on. > >The SonicWall/SafeNet client doesn't talk about it and for the life of >me I can't find any reference to it in the web management interface. Am >I missing something obvious or do people just hard-code these settings >on the underlying connection profile (be it a modem dialup to an ISP, or >whatever). > >I'm running Windows 2000 Professional on the client side and the latest >firmware on the SonicWall. > >Cheers, >Dale > >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn > > > From kazuki.kamiya at uniadex.co.jp Thu May 15 21:52:13 2003 From: kazuki.kamiya at uniadex.co.jp (kazuki kamiya) Date: Fri, 16 May 2003 10:52:13 +0900 Subject: [VPN] VPN3k LAN-to-LAN connection Message-ID: I want to know cisco vpn3k LAN-to-LAN VPN. Sould I add routing entry of SiteB to vpn3kA? vpn3kA routing table ################################### destination next hop SiteB router ################################### SiteA-----vpn3kA------router-------VPN3kB--------SiteB If I don't add routing entry of siteB to VPN3kA, I can not ping to SiteB from SiteA (I can ping to vpn3kB from vpn3kA) If I add routing entry of siteB to VPN3kA, I can ping to SiteB from SiteA I think it strang. From JohnC at hcarr.com Fri May 16 13:16:15 2003 From: JohnC at hcarr.com (John Clark) Date: Fri, 16 May 2003 13:16:15 -0400 Subject: [VPN] l2tp through Cisco Pix with single Interface Address Message-ID: <33AB4990A8F2574E9F5803389A2093AF01E8@hcarrexch.hcarr.com> Hi, I am trying to do Allow an internal user to use a l2tp client through the Pix firewall with a single ip address on the external intereface. I see the acl's that i need to use, but will it allow me to do what is need without utilizing the static command? If i do do i need to do it just for Udp 500 or also for ip 50 and 51? Thanks. John From keithp at corp.ptd.net Fri May 16 14:47:52 2003 From: keithp at corp.ptd.net (Keith Pachulski) Date: Fri, 16 May 2003 14:47:52 -0400 Subject: [VPN] l2tp through Cisco Pix with single Interface Address Message-ID: l2tp uses 1701/udp, not 500/udp or AH, ESP. in the acl permit the internal host to access to remote system over the specific udp port. -----Original Message----- From: John Clark [mailto:JohnC at hcarr.com] Sent: Friday, May 16, 2003 1:16 PM To: vpn at lists.shmoo.com Subject: [VPN] l2tp through Cisco Pix with single Interface Address Hi, I am trying to do Allow an internal user to use a l2tp client through the Pix firewall with a single ip address on the external intereface. I see the acl's that i need to use, but will it allow me to do what is need without utilizing the static command? If i do do i need to do it just for Udp 500 or also for ip 50 and 51? Thanks. John _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From shannong at texas.net Sat May 17 00:48:40 2003 From: shannong at texas.net (shannong) Date: Fri, 16 May 2003 23:48:40 -0500 Subject: [VPN] SonicWall - Passing DNS settings to VPN clients? In-Reply-To: <3EC310EC.9010401@pacbell.net> Message-ID: <00a501c31c2f$96a740d0$840a0a0a@ASTEROID> I would agree with Jose in general...get a real VPN capable firewall. Although, if you're goal is VPN capabilities in a firewall, Checkpoint and Cisco are much more attractive. These vendors' VPN clients include a firewall on the client side that can be controlled when the session is established. The firewall can be turned on, inbound/outbound rules established, and the VPN client is told what traffic should be sent to the firewall vs. what should be sent out the "normal" Internet connection, filters can be established per user/group, and you can use certificates and other two-factor authentication schemes. The Cisco client also has the advantage of only resolving DNS domains across the tunnels that are defined by the VPN terminator. All others go to the "normal" DNS server of the Internet client. -Shannon -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of Jose Muniz Sent: Wednesday, May 14, 2003 11:01 PM To: TKoopman at SonicWALL.com Cc: vpn at lists.shmoo.com Subject: Re: [VPN] SonicWall - Passing DNS settings to VPN clients? I will have to rather recommend a NetScreen firewall. It supports the std. for passing ip address info to the client, incluiding DNS, WINS even ip for the virtual adaptor etc.. via mode-config and xauth for user authentication... next time dont buy your security gear from ToysRus get a real firewall :-P jose TKoopman at SonicWALL.com wrote: >The new SonicWALL Global VPN client supports these features and more. Check it out at www.sonicwall.com > >Best Regards > >TODD KOOPMAN >Systems Engineer >SonicWALL > >-----Original Message----- >From: Dale Shaw [mailto:DShaw at exceed.com.au] >Sent: Thursday, May 08, 2003 5:18 PM >To: vpn at lists.shmoo.com >Subject: [VPN] SonicWall - Passing DNS settings to VPN clients? > > >Hi, > >I'm struggling to work out how (if at all) I can automagically configure >a SonicWall VPN client with things like DNS and WINS settings (i.e. >pointing the client at a DNS server on the 'LAN' side of the SonicWall). >With Cisco's kit, the gateway pushes config through to the client. With >Microsoft's client, you have a 'connection' to configure specific >network settings on. > >The SonicWall/SafeNet client doesn't talk about it and for the life of >me I can't find any reference to it in the web management interface. Am >I missing something obvious or do people just hard-code these settings >on the underlying connection profile (be it a modem dialup to an ISP, or >whatever). > >I'm running Windows 2000 Professional on the client side and the latest >firmware on the SonicWall. > >Cheers, >Dale > >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn > > > _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From kristian.svensson at ortivus.se Mon May 19 11:26:15 2003 From: kristian.svensson at ortivus.se (Kristian Svensson) Date: Mon, 19 May 2003 17:26:15 +0200 Subject: [VPN] IPSec client in windows Message-ID: Hello, Which pure IPSec client (not L2TP) would you recommend if I am to launch it from my own program, developed in Visual Studio 6.0 C++. I have tried Contivity and it works fine although it displays a window when I fail to connect. I want it to be completely silent. I normally use rasapi32, so it would be nice if there is a client with a similar API, but I can't find any. Anyone? Thanks, Kristian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030519/040b34b1/attachment.htm From john at bvcolorado.com Mon May 19 12:07:20 2003 From: john at bvcolorado.com (John Lockett) Date: Mon, 19 May 2003 10:07:20 -0600 Subject: [VPN] VPN Speed Message-ID: <3EC8ACD8.17282.AB2D69@localhost> I have set up a VPN between Denver, CO and Buena Vista, CO. The Denver office is connected to the net with a T-1, provided by Sprint. I have a Cisco 1600 router and a SonicWall Tele3 to connect and provide security and VPN services. The Buena Vista office is connected to the net with a 512kb Broadband Wireless link. I am using a SonicWall Tele3 to provide security and VPN services. I have tested the up and down speeds on the Buena Vista side and they range from 500kbps to 700kbps. The Denver side is getting 1120 kbps average up and down speeds. Yet when I try to attack from the Denver site to the Buena Vista site, the connection speed is slower than the original 56k direct connection. I would appreciate any assistance. From dale.nunnery at medicorp.org Mon May 19 18:15:32 2003 From: dale.nunnery at medicorp.org (dale.nunnery at medicorp.org) Date: Mon, 19 May 2003 18:15:32 -0400 Subject: [VPN] FAQ for vendors Message-ID: I will be meeting with a vendors who are "pitching" VPN. What questions should I ask him to ensure that we cover all bases. Thank you, Dale Nunnery PACS Systems Analyst MediCorp Health System Information Services (540) 372-7304 Pager (540) 741-1006 Vmail dale.nunnery at medicorp.org - This e-mail message, including any attachments, is for the sole use of the intended recipients and may contain information that is confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient or receive this message in error, please contact the sender by reply e-mail and by phone and destroy all copies of the original message. Any unauthorized review, use, reproduction, disclosure or distribution is strictly prohibited. Thank you. From losttoy2000 at yahoo.co.uk Tue May 20 01:41:10 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Tue, 20 May 2003 06:41:10 +0100 (BST) Subject: [VPN] IPSec client in windows In-Reply-To: Message-ID: <20030520054110.39530.qmail@web12707.mail.yahoo.com> SSH http://www.ssh.com/support/documentation/all/ipsec_express/ Are you looking for some freeware?? --- Kristian Svensson wrote: > Hello, > > Which pure IPSec client (not L2TP) would you > recommend if I am to launch it > from my own program, developed in Visual Studio 6.0 > C++. I have tried > Contivity and it works fine although it displays a > window when I fail to > connect. I want it to be completely silent. > > I normally use rasapi32, so it would be nice if > there is a client with a > similar API, but I can't find any. Anyone? > > Thanks, > Kristian > __________________________________________________ It's Samaritans' Week. Help Samaritans help others. Call 08709 000032 to give or donate online now at http://www.samaritans.org/support/donations.shtm From rmalayter at bai.org Tue May 20 17:03:59 2003 From: rmalayter at bai.org (Ryan Malayter) Date: Tue, 20 May 2003 16:03:59 -0500 Subject: [VPN] VPN Speed Message-ID: <792DE28E91F6EA42B4663AE761C41C2AEA5F@cliff.bai.org> Sounds like routing issues between the two networks. It may be something your ISPs have to figure out. Have you run tracert between the two sites? Are your speed tests over the VPN tunnel? Or in the clear between opened ports? Try testing in the clear to eliminate the VPN as a possible source of trouble. Ryan Malayter Sr. Network & Database Administrator Bank Administration Institute Chicago, Illinois, USA PGP Key: http://www.malayter.com/pgp-public.txt ::::::::::::::::::::::::::::::: Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. -Albert Einstein -----Original Message----- From: John Lockett [mailto:john at bvcolorado.com] Sent: Monday, May 19, 2003 11:07 AM To: vpn at lists.shmoo.com Subject: [VPN] VPN Speed I have set up a VPN between Denver, CO and Buena Vista, CO. The Denver office is connected to the net with a T-1, provided by Sprint. I have a Cisco 1600 router and a SonicWall Tele3 to connect and provide security and VPN services. The Buena Vista office is connected to the net with a 512kb Broadband Wireless link. I am using a SonicWall Tele3 to provide security and VPN services. I have tested the up and down speeds on the Buena Vista side and they range from 500kbps to 700kbps. The Denver side is getting 1120 kbps average up and down speeds. Yet when I try to attack from the Denver site to the Buena Vista site, the connection speed is slower than the original 56k direct connection. I would appreciate any assistance. _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From exo_wa at yahoo.com Tue May 20 21:34:46 2003 From: exo_wa at yahoo.com (Exo Wa) Date: Tue, 20 May 2003 18:34:46 -0700 (PDT) Subject: [VPN] NetScreen 25 In-Reply-To: <20030520120010.33057.56329.Mailman@sisyphus.iocaine.com> Message-ID: <20030521013446.95402.qmail@web21003.mail.yahoo.com> Hi, I am trying to setup NetScreen 25 with three Ethernet ports and running into some issues. NS-25 with 3 ports: Port 1 will be used for one private network. 192.168.95.0 (TRUST, NAT) Port 2 will be used for another private network. 192.168.90.0 (DMZ-ROUTE) Port 3 will be used to access the Internet. 215.23.23.43 <--bogus IP. (UNTRUST) Right now, I am able to access from DMZ to TRUST but not the other way around....TRUST to DMZ. How do I set it up? Any help on this would be much appreciated. -Exo. __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com From Juri.Reitsakas at Vorguvara.ee Wed May 21 02:09:14 2003 From: Juri.Reitsakas at Vorguvara.ee (Juri.Reitsakas at Vorguvara.ee) Date: Wed, 21 May 2003 09:09:14 +0300 Subject: [VPN] NetScreen 25 In-Reply-To: <20030521013446.95402.qmail@web21003.mail.yahoo.com> Message-ID: Hi, Please pay attention to zones. You have separate set of policies between the zones Probably you have set policies for untrust-trust zone (I expect that Port-2 assign to untrust zone) and do not have the policy from trust to untrust?! Regards Juri Exo Wa To Sent by: vpn at lists.shmoo.com vpn-admin at lists.s cc hmoo.com Subject [VPN] NetScreen 25 21.05.2003 04:34 Hi, I am trying to setup NetScreen 25 with three Ethernet ports and running into some issues. NS-25 with 3 ports: Port 1 will be used for one private network. 192.168.95.0 (TRUST, NAT) Port 2 will be used for another private network. 192.168.90.0 (DMZ-ROUTE) Port 3 will be used to access the Internet. 215.23.23.43 <--bogus IP. (UNTRUST) Right now, I am able to access from DMZ to TRUST but not the other way around....TRUST to DMZ. How do I set it up? Any help on this would be much appreciated. -Exo. __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From waltr at umich.edu Wed May 21 10:09:08 2003 From: waltr at umich.edu (Walt Reynolds) Date: Wed, 21 May 2003 10:09:08 -0400 (EDT) Subject: [VPN] Host to Host VPN Message-ID: Forgive me if this was discussed before, but I do not see a way to search the archives. I have a few general questions that I am hoping you all can help me with. 1. Host to Host VPN connections. I am looking for a software solution that will allow me to connect singular machines together (well not exactly) I have a single machine that would need to be able to have multiple machines connected to it. Can this be done... PC-1------------|-------PC-a |-------PC-b |-------PC-c I was thinking PGPnet, but still confused on that. The easiest answer is probably a hardware one, but want to avoid that for now. So I would like to be able to set up some connection that encrypts the data between. SSH and the like will not work (as far as I know) as they need to connect to a Foxpro database on PC-1 and work through their machines (PC-[a-c]) Actually, I will keep this to that question for now and ask others later. Thanks. -- Walt Reynolds University of Michigan From mdalto at sflawish.org Wed May 21 15:43:35 2003 From: mdalto at sflawish.org (Michael D'Alto) Date: Wed, 21 May 2003 15:43:35 -0400 Subject: [VPN] VPNs, bandwidths, and Citrix Message-ID: I have a couple of very basic questions about VPN management. I just recently started as a SysAdmin for a small non-profit that used to out source most of its IT. I worked in technical support on the client side of a large university network, so I'm farely computer literate and capable but a neubie to small office environments, system administration etc. We currently have three employees accessing a centrally located database over a VPN through a Watchguard Firebox system. The performance is horrendous due to the amount of data being sent back and forth. It has been suggested that we install a Citrix Metaframe system to drastically reduce the amount of data being sent. Two questions come to mind that I was hoping someone could help me with: Are three users on a VPN the bottleneck, such that a Citrix installation will not drastically help. What is the bandwidth over a VPN, how is it shared and maximized? Am I correct in assuming that Citrix helps this only by reducing the amount of data being sent over the VPN? Thank you so much in advance! Sincerely, Michael D'Alto Michael D'Alto Technology and Research Coordinator Make-A-Wish Foundation of Southern Florida PO Box 17377 Fort Lauderdale, FL 33318 954.967.9474 ext. 314 954.987.2468 fax If you know of a child with a life-threatening medical condition, please call Great Course. Great Partners. Great Cause. The 17th Annual Make-A-Wish Golf Classic From thebum at earthlink.net Wed May 21 16:20:02 2003 From: thebum at earthlink.net (Mike Biser) Date: Wed, 21 May 2003 13:20:02 -0700 Subject: [VPN] VPN Netscreen 50 to Linksys BEFVP41 Message-ID: <011301c31fd6$5d1a4150$4402470a@t4400> I have several VPN tunnels currently setup between our office Netscreen 50 and remote Linksys BEFVP41 routers, both sides of the tunnel having static IPs, and everything is great! What I'm trying to do is reconfigure one of the Linksys routers to a dynamic IP and still have the VPN tunnel to the Netscreen. So far I've been unsuccessful - Where I think I'm running into trouble is with the Netscreen. When reconfiguring this VPN tunnel, I changed the option from "Static IP" to "Dynamic IP" which now requires me to put in a "Peer ID". From what I can tell, the Linksys doesn't have this Peer ID field. Any ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030521/15134726/attachment.htm From support at tradescan.cc Wed May 21 16:57:56 2003 From: support at tradescan.cc (support at tradescan.cc) Date: Wed, 21 May 2003 15:57:56 -0500 Subject: [VPN] Host to Host VPN References: Message-ID: <004001c31fdb$a79981a0$336fa8c0@office3> If you are working with Linux or BSD boxes you might take a look at VTun http://vtun.sourceforge.net/. I've used it before and once you get it installed and configured it's a pretty nice package. It's probably not a secure as a IPSec based VPN but it does have some encryption options along with compression capability. HTH, John Guynn From TSimons at Delphi-Tech.com Wed May 21 19:24:04 2003 From: TSimons at Delphi-Tech.com (TSimons at Delphi-Tech.com) Date: Wed, 21 May 2003 19:24:04 -0400 Subject: [VPN] VPNs, bandwidths, and Citrix Message-ID: <880E60DA7286AB4CBEECB01B169A63BD0379D77B@NJ-2K-Email1.delphi-tech.com> Citrix will definitely cut the needed bandwidth, but its an expensive solution for 3 people. If Microsoft Terminal Server is sufficient, you could use that and it comes with Win2000. Another option would be remote controlling PCs on site, local to the DB. ...it depends what kind of budget you have. Terminal Server and Citrix will both run over a dialup connection. ~Todd -----Original Message----- From: Michael D'Alto [mailto:mdalto at sflawish.org] Sent: Wednesday, May 21, 2003 3:44 PM To: 'vpn at lists.shmoo.com' Subject: [VPN] VPNs, bandwidths, and Citrix I have a couple of very basic questions about VPN management. I just recently started as a SysAdmin for a small non-profit that used to out source most of its IT. I worked in technical support on the client side of a large university network, so I'm farely computer literate and capable but a neubie to small office environments, system administration etc. We currently have three employees accessing a centrally located database over a VPN through a Watchguard Firebox system. The performance is horrendous due to the amount of data being sent back and forth. It has been suggested that we install a Citrix Metaframe system to drastically reduce the amount of data being sent. Two questions come to mind that I was hoping someone could help me with: Are three users on a VPN the bottleneck, such that a Citrix installation will not drastically help. What is the bandwidth over a VPN, how is it shared and maximized? Am I correct in assuming that Citrix helps this only by reducing the amount of data being sent over the VPN? Thank you so much in advance! Sincerely, Michael D'Alto Michael D'Alto Technology and Research Coordinator Make-A-Wish Foundation of Southern Florida PO Box 17377 Fort Lauderdale, FL 33318 954.967.9474 ext. 314 954.987.2468 fax If you know of a child with a life-threatening medical condition, please call Great Course. Great Partners. Great Cause. The 17th Annual Make-A-Wish Golf Classic _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From TSimons at Delphi-Tech.com Wed May 21 19:27:56 2003 From: TSimons at Delphi-Tech.com (TSimons at Delphi-Tech.com) Date: Wed, 21 May 2003 19:27:56 -0400 Subject: [VPN] VPN Netscreen 50 to Linksys BEFVP41 Message-ID: <880E60DA7286AB4CBEECB01B169A63BD0379D77C@NJ-2K-Email1.delphi-tech.com> What Firmware version do you have on the BEFVP41? 1.40.x and later has an advanced link on the VPN Screen. On this screen you can choose main mode vs aggressive mode, etc. Just be wary...its not layed out well, for each VPN entity there are advanced settings, the way things are lay'd out initially it appears to global settings. ~Todd -----Original Message----- From: Mike Biser [mailto:thebum at earthlink.net] Sent: Wednesday, May 21, 2003 4:20 PM To: vpn at lists.shmoo.com Subject: [VPN] VPN Netscreen 50 to Linksys BEFVP41 I have several VPN tunnels currently setup between our office Netscreen 50 and remote Linksys BEFVP41 routers, both sides of the tunnel having static IPs, and everything is great! What I'm trying to do is reconfigure one of the Linksys routers to a dynamic IP and still have the VPN tunnel to the Netscreen. So far I've been unsuccessful - Where I think I'm running into trouble is with the Netscreen. When reconfiguring this VPN tunnel, I changed the option from "Static IP" to "Dynamic IP" which now requires me to put in a "Peer ID". From what I can tell, the Linksys doesn't have this Peer ID field. Any ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030521/8e9f3a6c/attachment.htm From losttoy2000 at yahoo.co.uk Thu May 22 01:00:58 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Thu, 22 May 2003 06:00:58 +0100 (BST) Subject: [VPN] Host to Host VPN In-Reply-To: Message-ID: <20030522050058.83931.qmail@web12706.mail.yahoo.com> Which OS are you using on your hosts? Most OSs support IPSec natively, so you should have to buy some VPN solution, hardware/software. Siddhartha --- Walt Reynolds wrote: > > Forgive me if this was discussed before, but I do > not see a way to search > the archives. > > I have a few general questions that I am hoping you > all can help me with. > > 1. Host to Host VPN connections. I am looking for a > software solution > that will allow me to connect singular machines > together (well not > exactly) I have a single machine that would need to > be able to have > multiple machines connected to it. Can this be > done... > > PC-1------------|-------PC-a > |-------PC-b > |-------PC-c > > I was thinking PGPnet, but still confused on that. > The easiest answer is > probably a hardware one, but want to avoid that for > now. So I would like > to be able to set up some connection that encrypts > the data between. SSH > and the like will not work (as far as I know) as > they need to connect to > a Foxpro database on PC-1 and work through their > machines (PC-[a-c]) > > > Actually, I will keep this to that question for now > and ask others later. > Thanks. > > > -- Walt Reynolds > University of Michigan > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ It's Samaritans' Week. Help Samaritans help others. Call 08709 000032 to give or donate online now at http://www.samaritans.org/support/donations.shtm From lists at fips.de Thu May 22 01:52:35 2003 From: lists at fips.de (Philipp Buehler) Date: Thu, 22 May 2003 07:52:35 +0200 Subject: [VPN] FAQ for vendors In-Reply-To: ; "dale.nunnery@medicorp.org" on 20.05.2003 @ 00:15:32 CEST References: Message-ID: <20030522075235.A12198@pohl.fips.de> On 20/05/2003, dale.nunnery at medicorp.org wrote To vpn at lists.shmoo.com: > > I will be meeting with a vendors who are "pitching" VPN. What questions > should I ask him to ensure that we cover all bases. http://www.vpnc.org/ http://www.vpnc.org/InteropProfiles/ ?! :) ciao -- Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | #1: Break the clue barrier! #2: Already had buzzword confuseritis ? From najla.ouragini at atlasoft.com Thu May 22 05:36:35 2003 From: najla.ouragini at atlasoft.com (Najla Ouragini) Date: Thu, 22 May 2003 10:36:35 +0100 Subject: [VPN] VPN and mail server Message-ID: <001c01c32045$a32be120$7201a8c0@Najla> Hi, I have a problem to configure a PIX version 6.2 for accessing a mail server. In fact, we are start-up which has a PIX. A VPN tunnel is established between our start-up and and another society A. This society A have a VPN tunnel to another society B, not by a PIX but by another software. Some of our stuff, have to connect to a mail server in the society B. I want to know how should I configure both our PIX and the PIX of the society A so that our start-up can access this mail server (The mail server is accessed by the society B). If you need more information, just conatct me. Thank you very much in advance. Najla Ouragini. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030522/e7c58827/attachment.htm From waltr at umich.edu Thu May 22 08:04:44 2003 From: waltr at umich.edu (Walt Reynolds) Date: Thu, 22 May 2003 08:04:44 -0400 (EDT) Subject: [VPN] Host to Host VPN In-Reply-To: <004001c31fdb$a79981a0$336fa8c0@office3> Message-ID: John, This does help, but not in this instance. Will be using Mac OS 9 and 10 as well as windows XP and 2000. On Wed, 21 May 2003 support at tradescan.cc wrote: > If you are working with Linux or BSD boxes you might take a look at VTun > http://vtun.sourceforge.net/. > > I've used it before and once you get it installed and configured it's a > pretty nice package. It's probably not a secure as a IPSec based VPN but it > does have some encryption options along with compression capability. > > HTH, > > John Guynn > > -- Walt Reynolds University of Michigan From pjacob at ftmc.com Thu May 22 20:09:05 2003 From: pjacob at ftmc.com (Pete Jacob) Date: 22 May 2003 20:09:05 -0400 Subject: [VPN] VPNs, bandwidths, and Citrix In-Reply-To: References: Message-ID: <1053648544.8130.7.camel@Overlord.Ftmc.Com> Michael, it sounds like you are doing the right thing... allot would depend on what kind of bandwidth you have to play with, and what kind of bandwidth the remote users have... if you have a t3, and the remote user has a 56k dial-up to the internet, then it probably would not work real well... try and get the remote users something stable as possible, do some research to make sure that both your internet (VPN) connection and the remote users ISP's are not over-subscribed... I also have separate vpn connections into my work with different ISP's just in case one goes down, user's can connection thru the other one. What kind of VPN connection would the remote users be using? PPTP? L2TP? Ipsec (clientless?) this may have some effect on bandwidth... Cheers~ Pete. > Are three users on a VPN the bottleneck, such that a Citrix installation > will not drastically help. > What is the bandwidth over a VPN, how is it shared and maximized? > Am I correct in assuming that Citrix helps this only by reducing the amount > of data being sent over the VPN? > > Thank you so much in advance! > > Sincerely, > > Michael D'Alto > > > Michael D'Alto > Technology and Research Coordinator > Make-A-Wish Foundation of Southern Florida > PO Box 17377 > Fort Lauderdale, FL 33318 > 954.967.9474 ext. 314 > 954.987.2468 fax > If you know of a child with a life-threatening medical condition, please > call > Great Course. Great Partners. Great Cause. The 17th Annual Make-A-Wish Golf > Classic From rmalayter at bai.org Thu May 22 16:32:36 2003 From: rmalayter at bai.org (Ryan Malayter) Date: Thu, 22 May 2003 15:32:36 -0500 Subject: [VPN] VPNs, bandwidths, and Citrix Message-ID: <792DE28E91F6EA42B4663AE761C41C2AEA7B@cliff.bai.org> Typically, client/server database applications send very little data, since most of the processing is done by a database server like Microsoft SQL Server. However, there are a few horrible file-based (think .MDB or .DBF files) or even worse cursor-on-top-of-SQL based systems out there that really soak up network bandwidth. You need to make sure your application is really the bandwidth hog before you go investing in anything else. Can th eapplication be re-written? What is the back-end database platform? A terminal server like Citrix or the more basic Windows Terminal Services basically runs the client appliction in a virtual screen on a box on your network, and all that gets sent over the VPN are visible changes from this virtual screen. This is typically very efficient in terms of bandwidth. I would first try the basic Windows Terminal Service built into Windows 2000/3 server, and then only move up to the more expensive Citrix if need be. You can run the base Win2k terminal services without any licenses for 90 days as a test to see if it really helps things. Ryan Malayter Sr. Network & Database Administrator Bank Administration Institute Chicago, Illinois, USA PGP Key: http://www.malayter.com/pgp-public.txt ::::::::::::::::::::::::::::::: Twas a woman who drove me to drink. I never had the courtesy to thank her. -W.C. Fields -----Original Message----- From: Michael D'Alto [mailto:mdalto at sflawish.org] Sent: Wednesday, May 21, 2003 2:44 PM To: 'vpn at lists.shmoo.com' Subject: [VPN] VPNs, bandwidths, and Citrix I have a couple of very basic questions about VPN management. I just recently started as a SysAdmin for a small non-profit that used to out source most of its IT. I worked in technical support on the client side of a large university network, so I'm farely computer literate and capable but a neubie to small office environments, system administration etc. We currently have three employees accessing a centrally located database over a VPN through a Watchguard Firebox system. The performance is horrendous due to the amount of data being sent back and forth. It has been suggested that we install a Citrix Metaframe system to drastically reduce the amount of data being sent. Two questions come to mind that I was hoping someone could help me with: Are three users on a VPN the bottleneck, such that a Citrix installation will not drastically help. What is the bandwidth over a VPN, how is it shared and maximized? Am I correct in assuming that Citrix helps this only by reducing the amount of data being sent over the VPN? Thank you so much in advance! Sincerely, Michael D'Alto Michael D'Alto Technology and Research Coordinator Make-A-Wish Foundation of Southern Florida PO Box 17377 Fort Lauderdale, FL 33318 954.967.9474 ext. 314 954.987.2468 fax If you know of a child with a life-threatening medical condition, please call Great Course. Great Partners. Great Cause. The 17th Annual Make-A-Wish Golf Classic _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From lynch00 at cox.net Thu May 22 17:24:40 2003 From: lynch00 at cox.net (Chris Lynch) Date: Thu, 22 May 2003 14:24:40 -0700 Subject: [VPN] VPNs, bandwidths, and Citrix In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike, MetaFrame provides a way for users to access applications on a centralized server. It also dramatically reduces the overhead caused be data traversing a slow link, by simulating a desktop or application in a remote location. Have you ever used Terminal Services in Remote Administration mode on Windows 2000 Server/Advanced Server or Windows Server 2003? It's like pcAnywhere, but quicker. The ICA protocol is an optimized protocol to provide a user with an interface back to am application over a slow link. It's not to say that the ICA protocol isn't for a LAN environment. In fact, the more bandwidth, the better the session appears. If you have any further specific questions, feel free to email me offline. Chris Lynch, MCSE CCNA CCEA Lynch00 at cox.net - -----Original Message----- From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On Behalf Of Michael D'Alto Sent: Wednesday, May 21, 2003 12:44 PM To: 'vpn at lists.shmoo.com' I have a couple of very basic questions about VPN management. I just recently started as a SysAdmin for a small non-profit that used to out source most of its IT. I worked in technical support on the client side of a large university network, so I'm farely computer literate and capable but a neubie to small office environments, system administration etc. We currently have three employees accessing a centrally located database over a VPN through a Watchguard Firebox system. The performance is horrendous due to the amount of data being sent back and forth. It has been suggested that we install a Citrix Metaframe system to drastically reduce the amount of data being sent. Two questions come to mind that I was hoping someone could help me with: Are three users on a VPN the bottleneck, such that a Citrix installation will not drastically help. What is the bandwidth over a VPN, how is it shared and maximized? Am I correct in assuming that Citrix helps this only by reducing the amount of data being sent over the VPN? Thank you so much in advance! Sincerely, Michael D'Alto Michael D'Alto Technology and Research Coordinator Make-A-Wish Foundation of Southern Florida PO Box 17377 Fort Lauderdale, FL 33318 954.967.9474 ext. 314 954.987.2468 fax If you know of a child with a life-threatening medical condition, please call Great Course. Great Partners. Great Cause. The 17th Annual Make-A-Wish Golf Classic _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 Comment: Public PGP key for Chris Lynch iQA/AwUBPs1AF29fg+xq5T3MEQL/XgCgh2QmdGRwFS50eTL6Jqp0HLRiXGUAnjiJ +4ZB2LxkPqHr3cbYR8+6AY7P =16DM -----END PGP SIGNATURE----- From mspencer at evidentdata.com Fri May 23 14:44:52 2003 From: mspencer at evidentdata.com (Mark G. Spencer) Date: Fri, 23 May 2003 11:44:52 -0700 Subject: [VPN] Experiences w/ Neoteris? Message-ID: <001e01c3215b$65b77bd0$b800000a@alderon> I have been browsing through a prior thread here regarding SSL VPN's. On a somewhat related note, I'm wondering if anyone has had experience with Neoteris? http://www.neoteris.com/ Apparently their SSL based products can be used to access internal resources, securely, from the Internet. One of their recent press releases states "Company Delivers Industry's Only Purpose-Built Application Security Appliances that Meet Latest Stringent Federal Government Security Standards" .. Do Neoteris's products address the concerns brought up in the SSL VPN thread on this mailing list? Is there a niche that you would use their products for instead of other VPN solutions based on IPSec? Thanks for the advice! Mark From losttoy2000 at yahoo.co.uk Sat May 24 02:35:23 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Sat, 24 May 2003 07:35:23 +0100 (BST) Subject: [VPN] Host to Host VPN In-Reply-To: Message-ID: <20030524063523.91824.qmail@web12701.mail.yahoo.com> Mac OS X and Win XP/2000 support IPSec natively. Couldn't find much about a solution for MacOS 9 since the internet is down in this part of the world bcoz of the Algiers quake. --- Walt Reynolds wrote: > > John, > > This does help, but not in this instance. Will be > using Mac OS 9 and 10 > as well as windows XP and 2000. > > On Wed, 21 May 2003 support at tradescan.cc wrote: > > If you are working with Linux or BSD boxes you > might take a look at VTun > > http://vtun.sourceforge.net/. > > > > I've used it before and once you get it installed > and configured it's a > > pretty nice package. It's probably not a secure > as a IPSec based VPN but it > > does have some encryption options along with > compression capability. > > > > HTH, > > > > John Guynn > > > > > > -- Walt Reynolds > University of Michigan > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ It's Samaritans' Week. Help Samaritans help others. Call 08709 000032 to give or donate online now at http://www.samaritans.org/support/donations.shtm From losttoy2000 at yahoo.co.uk Sat May 24 03:32:41 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Sat, 24 May 2003 08:32:41 +0100 (BST) Subject: [VPN] VPN3k LAN-to-LAN connection In-Reply-To: Message-ID: <20030524073241.82279.qmail@web12707.mail.yahoo.com> Okie, here is how, briefly, VPN tunnel is established. The terminology might be different depending on your product but the mechanism is the same. vpn3kA has -> an access-list matching traffic flowing from SiteA to SiteB. -> a IPSec policy for this access-list. -> a peer (vpn3kB here) set for this access-list/IPSec policy. -> a default route to the internet if vpn3kB is on the internet somewhere or generally route to the network to which vpn3kB belongs. The same goes for vpn3kB. On vpn3kA, you should have a route that says: All packets destined for vpn3kB should be sent to router. And you should be able to ping vpn3kB whether there is a IPSec tunnel or not. Same for vpn3kB. On a PC in site-A, you will have to specify the gateway as vpn3kA for packets destined for Site-B network. If you need to add a route on vpn3kA for packets destined to site-B as next-hop-router then this probably means you are simply doing routing and no IPSec tunnel is coming up. :) - kazuki kamiya wrote: > > I want to know cisco vpn3k LAN-to-LAN VPN. > Sould I add routing entry of SiteB to vpn3kA? > > vpn3kA routing table > ################################### > destination next hop > SiteB router > ################################### > > SiteA-----vpn3kA------router-------VPN3kB--------SiteB > > If I don't add routing entry of siteB to VPN3kA, > I can not ping to SiteB from SiteA > (I can ping to vpn3kB from vpn3kA) > > If I add routing entry of siteB to VPN3kA, > I can ping to SiteB from SiteA > > I think it strang. > > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________________________ It's Samaritans' Week. Help Samaritans help others. Call 08709 000032 to give or donate online now at http://www.samaritans.org/support/donations.shtm From losttoy2000 at yahoo.co.uk Sun May 25 01:36:24 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Sun, 25 May 2003 06:36:24 +0100 (BST) Subject: [VPN] VPN and mail server In-Reply-To: <001c01c32045$a32be120$7201a8c0@Najla> Message-ID: <20030525053624.68894.qmail@web12702.mail.yahoo.com> You need to setup your Society A as a hub for VPN and your other two sites as spokes. Look at this Cisco doc which has good info on how to setup PIX for hub-spoke design: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml --- Najla Ouragini wrote: > > Hi, > I have a problem to configure a PIX version 6.2 for > accessing a mail server. > In fact, we are start-up which has a PIX. A VPN > tunnel is established between our start-up and and > another society A. This society A have a VPN tunnel > to another society B, not by a PIX but by another > software. > Some of our stuff, have to connect to a mail server > in the society B. I want to know how should I > configure both our PIX and the PIX of the society A > so that our start-up can access this mail server > (The mail server is accessed by the society B). > If you need more information, just conatct me. > Thank you very much in advance. > Najla Ouragini. > __________________________________________________ It's Samaritans' Week. Help Samaritans help others. Call 08709 000032 to give or donate online now at http://www.samaritans.org/support/donations.shtm From edp at fis.nachi-fujikoshi.co.jp Tue May 27 00:04:20 2003 From: edp at fis.nachi-fujikoshi.co.jp (Takashi Nishino) Date: Tue, 27 May 2003 13:04:20 +0900 Subject: [VPN] Host to Host VPN References: Message-ID: <004601c32405$0d274660$7114550a@yadrl503> Hi, It is desirable to connect the VPN-gateway.(Network to Network VPN) The reason is as follows. 1.When PC is added the setting changes of all the PC become necessary. 2.The VPN-G/Wsoftware of free is in the Internet. (Free S/wan,OpenBSD and POPTOP(Client Access only)) T.Nishino; Japan. ----- Original Message ----- From: "Walt Reynolds" To: Sent: Thursday, May 22, 2003 9:04 PM Subject: Re: [VPN] Host to Host VPN > > John, > > This does help, but not in this instance. Will be using Mac OS 9 and 10 > as well as windows XP and 2000. > > On Wed, 21 May 2003 support at tradescan.cc wrote: > > If you are working with Linux or BSD boxes you might take a look at VTun > > http://vtun.sourceforge.net/. > > > > I've used it before and once you get it installed and configured it's a > > pretty nice package. It's probably not a secure as a IPSec based VPN but it > > does have some encryption options along with compression capability. > > > > HTH, > > > > John Guynn > > > > > > -- Walt Reynolds > University of Michigan > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From DShaw at exceed.com.au Tue May 27 00:03:51 2003 From: DShaw at exceed.com.au (Dale Shaw) Date: Tue, 27 May 2003 14:03:51 +1000 Subject: [VPN] "PAYLOAD_MALFORMED" VPN problem with SonicWall Pro and XAUTH Message-ID: Hi, I am attempting to configure a SonicWall Pro to support remote access VPN users using a pre-shared key and XAUTH (using RADIUS to a Microsoft IAS Server). The SonicWall box is already working with just a pre-shared key -- I am just adding an additional authentication factor. Here is an excerpt from the log viewer on a VPN client machine: 8<--- 10:44:56.129 My Connections\sonic2-client - Initiating IKE Phase 1 (IP ADDR=203.x.x.34) 10:44:56.129 My Connections\sonic2-client - SENDING>>>> ISAKMP OAK MM (SA, VID) 10:44:56.479 My Connections\sonic2-client - RECEIVED<<< ISAKMP OAK MM (SA, VID) 10:44:56.499 My Connections\sonic2-client - Peer is NAT-T capable 10:44:56.499 My Connections\sonic2-client - SENDING>>>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID, VID, VID) 10:44:56.960 My Connections\sonic2-client - RECEIVED<<< ISAKMP OAK TRANS *(Opaque) 10:44:56.960 My Connections\sonic2-client - Received message for non-active SA 10:44:57.020 My Connections\sonic2-client - RECEIVED<<< ISAKMP OAK MM (KE, NAT-D, NAT-D, NON, VID, VID, VID) 10:44:57.040 My Connections\sonic2-client - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT) 10:44:57.390 My Connections\sonic2-client - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR) 10:45:03.049 My Connections\sonic2-client - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR) 10:45:03.429 My Connections\sonic2-client - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR) 10:45:03.429 My Connections\sonic2-client - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR) 10:45:03.429 My Connections\sonic2-client - Initiating IKE Phase 2 with Client IDs (message id: 32713DEC) 10:45:03.429 Initiator = IP ADDR=y.y.y.214, prot = 0 port = 0 10:45:03.429 Responder = IP SUBNET/MASK=10.0.0.0/255.255.255.0, prot = 0 port = 0 10:45:03.429 My Connections\sonic2-client - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) 10:45:03.830 My Connections\sonic2-client - RECEIVED<<< ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_RESP_LIFETIME) 10:45:03.830 My Connections\sonic2-client - Established IKE SA 10:45:03.830 MY COOKIE b5 f2 7e 43 97 20 ec c7 10:45:03.830 HIS COOKIE 99 b6 fa 4d 4b 2e c b6 10:45:03.850 My Connections\sonic2-client - RECEIVED<<< ISAKMP OAK INFO (NOTIFY:PAYLOAD_MALFORMED) 10:45:03.850 My Connections\sonic2-client - Received invalid NOTIFY message (doi = 1, protocol_id = 0) 10:45:03.850 My Connections\sonic2-client - Discarding SA negotiation 10:45:03.850 My Connections\sonic2-client - Deleting IKE SA (IP ADDR=203.x.x.34) 10:45:03.850 MY COOKIE b5 f2 7e 43 97 20 ec c7 10:45:03.850 HIS COOKIE 99 b6 fa 4d 4b 2e c b6 8<--- I have confirmed that the RADIUS server is configured correctly and -can- successfully authenticate a user using the SonicWall's web management interface. I've made sure the IAS server is configured to accept PAP as an authentication type. I'm fairly certain the problem is not related to a RADIUS configuration problem between the SonicWall and the IAS server, in fact when the client throws up the authentication dialog and credentials are entered, a matching 'success' entry is made in the IAS and SonicWall log. Strangely, in testing this configuration the other day, phase 2 did succeed *once*. Nothing had changed, and after de-activating and re-activating the security policy, it continued to fail. Very strange - the only thing I can think of that was different about the time that it worked was that the client was loading up a heavy web page at the time and there were a few IKE retransmits as a result (the client is modem-connected). Can anyone shed any light on what the "PAYLOAD_MALFORMED" error is about? I couldn't find any reference to it in SonicWall's support knowledgebase. The VPN client OS is Windows 2000 Professional. In order to go back to a working configuration, all I did was disable the 'require XAUTH' option on the SA and changed the SafeNet client back to Pre-Shared Keys (instead of PSK + XAUTH). Cheers, Dale From TSimons at Delphi-Tech.com Tue May 27 07:17:21 2003 From: TSimons at Delphi-Tech.com (TSimons at Delphi-Tech.com) Date: Tue, 27 May 2003 07:17:21 -0400 Subject: [VPN] "PAYLOAD_MALFORMED" VPN problem with SonicWall Pro and XAUTH Message-ID: <880E60DA7286AB4CBEECB01B169A63BD0379D7E5@NJ-2K-Email1.delphi-tech.com> Dale- Double check your Diffie-Hellman (group1/group2) and PFS settings on both end points of the tunnel ~Todd -----Original Message----- From: Dale Shaw [mailto:DShaw at exceed.com.au] Sent: Tuesday, May 27, 2003 12:04 AM To: VPN at lists.shmoo.com Subject: [VPN] "PAYLOAD_MALFORMED" VPN problem with SonicWall Pro and XAUTH Hi, I am attempting to configure a SonicWall Pro to support remote access VPN users using a pre-shared key and XAUTH (using RADIUS to a Microsoft IAS Server). The SonicWall box is already working with just a pre-shared key -- I am just adding an additional authentication factor. Here is an excerpt from the log viewer on a VPN client machine: 8<--- 10:44:56.129 My Connections\sonic2-client - Initiating IKE Phase 1 (IP ADDR=203.x.x.34) 10:44:56.129 My Connections\sonic2-client - SENDING>>>> ISAKMP OAK MM (SA, VID) 10:44:56.479 My Connections\sonic2-client - RECEIVED<<< ISAKMP OAK MM (SA, VID) 10:44:56.499 My Connections\sonic2-client - Peer is NAT-T capable 10:44:56.499 My Connections\sonic2-client - SENDING>>>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID, VID, VID) 10:44:56.960 My Connections\sonic2-client - RECEIVED<<< ISAKMP OAK TRANS *(Opaque) 10:44:56.960 My Connections\sonic2-client - Received message for non-active SA 10:44:57.020 My Connections\sonic2-client - RECEIVED<<< ISAKMP OAK MM (KE, NAT-D, NAT-D, NON, VID, VID, VID) 10:44:57.040 My Connections\sonic2-client - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT) 10:44:57.390 My Connections\sonic2-client - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR) 10:45:03.049 My Connections\sonic2-client - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR) 10:45:03.429 My Connections\sonic2-client - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR) 10:45:03.429 My Connections\sonic2-client - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR) 10:45:03.429 My Connections\sonic2-client - Initiating IKE Phase 2 with Client IDs (message id: 32713DEC) 10:45:03.429 Initiator = IP ADDR=y.y.y.214, prot = 0 port = 0 10:45:03.429 Responder = IP SUBNET/MASK=10.0.0.0/255.255.255.0, prot = 0 port = 0 10:45:03.429 My Connections\sonic2-client - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) 10:45:03.830 My Connections\sonic2-client - RECEIVED<<< ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_RESP_LIFETIME) 10:45:03.830 My Connections\sonic2-client - Established IKE SA 10:45:03.830 MY COOKIE b5 f2 7e 43 97 20 ec c7 10:45:03.830 HIS COOKIE 99 b6 fa 4d 4b 2e c b6 10:45:03.850 My Connections\sonic2-client - RECEIVED<<< ISAKMP OAK INFO (NOTIFY:PAYLOAD_MALFORMED) 10:45:03.850 My Connections\sonic2-client - Received invalid NOTIFY message (doi = 1, protocol_id = 0) 10:45:03.850 My Connections\sonic2-client - Discarding SA negotiation 10:45:03.850 My Connections\sonic2-client - Deleting IKE SA (IP ADDR=203.x.x.34) 10:45:03.850 MY COOKIE b5 f2 7e 43 97 20 ec c7 10:45:03.850 HIS COOKIE 99 b6 fa 4d 4b 2e c b6 8<--- I have confirmed that the RADIUS server is configured correctly and -can- successfully authenticate a user using the SonicWall's web management interface. I've made sure the IAS server is configured to accept PAP as an authentication type. I'm fairly certain the problem is not related to a RADIUS configuration problem between the SonicWall and the IAS server, in fact when the client throws up the authentication dialog and credentials are entered, a matching 'success' entry is made in the IAS and SonicWall log. Strangely, in testing this configuration the other day, phase 2 did succeed *once*. Nothing had changed, and after de-activating and re-activating the security policy, it continued to fail. Very strange - the only thing I can think of that was different about the time that it worked was that the client was loading up a heavy web page at the time and there were a few IKE retransmits as a result (the client is modem-connected). Can anyone shed any light on what the "PAYLOAD_MALFORMED" error is about? I couldn't find any reference to it in SonicWall's support knowledgebase. The VPN client OS is Windows 2000 Professional. In order to go back to a working configuration, all I did was disable the 'require XAUTH' option on the SA and changed the SafeNet client back to Pre-Shared Keys (instead of PSK + XAUTH). Cheers, Dale _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From mspencer at evidentdata.com Tue May 27 11:56:29 2003 From: mspencer at evidentdata.com (Mark G. Spencer) Date: Tue, 27 May 2003 08:56:29 -0700 Subject: [VPN] Comments on SonicWALL SOHO TZW? Message-ID: <000b01c32468$89e08fa0$a500000a@alderon> I'm curious if anyone has deployed the SonicWALL SOHO TZW and is willing to comment on ease of use and functionality of this device? I just checked out the description at: http://www.sonicwall.com/products/sohotzw.html Apparently if you use this as an access point, you can require that all clients connect to it via IPSec? I think being able to authenticate to and create an IPSec VPN directly with an access point would be pretty cool. If this is indeed how it works, I might even be able to convince my boss to let us use wireless in the lab. It's not cheap though, @ $750-$800: http://www.techdepot.com/Product.asp?ProductID=1638380&iid=342 So .. I'm looking for any comments about this device. Do you think it's worth it? How has it worked for you? Thanks, Mark From jsdy at center.osis.gov Fri May 30 00:05:14 2003 From: jsdy at center.osis.gov (Joseph S D Yao) Date: Fri, 30 May 2003 00:05:14 -0400 Subject: [VPN] IPsec client through NAT - how? Message-ID: <20030530000514.A21242@franklin.center.osis.gov> I had thought I had understood the problem with IPsec and NAT, but perhaps I don't. We have people coming in to our IPsec server (Nortel Contivity 2600) from a wide number of different configurations, some of which are protected by firewalls of one kind or another. One site has a Checkpoint Firewall-1 device, doing many-to-many NAT. They were able to assign a workstation a static IP address, and do a static NAT to an external address. ESP, AH, and ISAKMP are open both ways. This person appears to be able to do IPsec just fine. But, of course, this is not a generalisable solution - there are not enough IP addresses on the outside to tie them down like this for too many users. Another site has CP FW1 doing many-to-one NAT. With one external IP address and internal dynamic IP addresses, they are unable to do a static NAT for both reasons. They are unable to set up the IPsec tunnel after authentication, and I thought I understood why. But another site - using, I think, a SonicWall "firewall" appliance - also has many-to-one NAT and dynamic IP, and they are able to set up IPsec tunnels and talk with us for a while. They do go down after a while, but I think that has something to do with traffic on a site-to- site IPsec tunnel that they also have. ;-} And several users say that they are doing dynamic IP on their home LANs behind a DSL or cable modem "firewall" that is also doing NAT, and that they can attach rock-solid. What is the difference here that I am missing? Is the CP FW1 NAT that different from those of these other "firewall" devices [that I believe are basically stateful filtering routers]? Has anyone tried the new Nortel Contivity VPN client: does it fix this? Does it open any new problems? Thanks! -- Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao OSIS Center Systems Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies. From 80211 at earthlink.net Sat May 31 22:50:38 2003 From: 80211 at earthlink.net (Peter W. Merritt) Date: 31 May 2003 19:50:38 -0700 Subject: [VPN] Slow Stunnel-PPP vpn through Openbsd nat firewall Message-ID: <1054435838.21338.10.camel@Qudrat.weirdwaterorg.local> Hello, I posted on the stunnel list and they suggested I post here. I have a stunnel pppd vpn setup between a openbsd 3.3 firewall and zaurus pda. I can establish the connection on both ends of the vpn, ping hosts on both my lan subnet and the internet. But using the internet through the nat firewall is so slow that everything times out. I can see the packets passing and returning through the firewall with tcpdump. I can ping anything on the net, with normal ping times no problem. Its just very slow. I believe it has something to do with the natting because speeds are normal browsing on the Lan hosts. Any help would be greatly appreciated, I can provide any additional info needed, thanks in advance. Peter From mdalto at sflawish.org Fri May 30 10:02:32 2003 From: mdalto at sflawish.org (Michael D'Alto) Date: Fri, 30 May 2003 10:02:32 -0400 Subject: [VPN] IPsec vs. PPTP Message-ID: I have read in several places that IPsec performance is better than PPTP, though have yet to find much detail about the magnitude or types of performance improvements. Does anyone have any experience with the performance difference between these two tunnel types? Thanks! Michael D'Alto Technology and Research Coordinator Make-A-Wish Foundation of Southern Florida PO Box 17377 Fort Lauderdale, FL 33318 954.967.9474 ext. 314 954.987.2468 fax If you know of a child with a life-threatening medical condition, please call Great Course. Great Partners. Great Cause. The 17th Annual Make-A-Wish Golf Classic