From drewgost at adelphia.net Sat Nov 1 07:00:36 2003 From: drewgost at adelphia.net (Andrew J Gostanian Jr.) Date: Sat, 1 Nov 2003 07:00:36 -0500 Subject: [VPN] PIX to PIX VPN In-Reply-To: <20031031190008.89673157D7@mail.iocaine.com> Message-ID: <000d01c3a06f$c6136640$6601a8c0@hawaii> Hi Joe, I would like to help you but I am having an issue connecting to my VPN from outside, when I'm in the company I can connect to my VPN Server, but when I go home and try to connect it says verifying username and password. Then it just times out error 781, 789 depending on settings. I noticed we use the same firewall a PIX 515. I opened up port 1723 and GRE as well as 500. It wont let me through. From in my office I connected to a dial up, then I connected to my server at home via a VPN connection it worked great. When I try to connect to my server at home through the LAN I cant connect. It must be the PIX not letting me through. Can you please send me your settings before they set me free. Thanks, Drew -----Original Message----- From: vpn-bounces+drewgost=adelphia.net at lists.shmoo.com [mailto:vpn-bounces+drewgost=adelphia.net at lists.shmoo.com] On Behalf Of vpn-request at lists.shmoo.com Sent: Friday, October 31, 2003 2:00 PM To: vpn at lists.shmoo.com Subject: VPN Digest, Vol 6, Issue 16 Send VPN mailing list submissions to vpn at lists.shmoo.com To subscribe or unsubscribe via the World Wide Web, visit http://lists.shmoo.com/mailman/listinfo/vpn or, via email, send a message with subject or body 'help' to vpn-request at lists.shmoo.com You can reach the person managing the list at vpn-owner at lists.shmoo.com When replying, please edit your Subject line so it is more specific than "Re: Contents of VPN digest..." Today's Topics: 1. Pix to Pix VPN Question (Laneille&Joe) ---------------------------------------------------------------------- Message: 1 Date: Wed, 29 Oct 2003 11:35:03 -0000 From: "Laneille&Joe" Subject: [VPN] Pix to Pix VPN Question To: Message-ID: <000501c39e10$b2834ac0$0a01a8c0 at joehome> Content-Type: text/plain; charset="us-ascii" Hi Ok where to start. We have three corporate network sites all connected using Pix 515's via a VPN. I have had no problems getting all this working for example I can ping the inside zone of network B from the inside zone in network A. Within network A I have an Internal zone 192.168.1.0 and a Webzone 192.168.2.0 and within network B I have an Internal zone 192.168.10.0 and a Webzone 192.168.11.0. I am as stated above able to connect from 192.168.1.0 to 192.168.10.0 via the usual crypto map setup. What I would like to do is connect from Network A 192.168.1.0 (Internal) to Network B 192.168.11.0 (Webzone). I have not been able to get this working. Please let me know if you have any ideas. Regards Joe Rossi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://sisyphus.iocaine.com/pipermail/vpn/attachments/20031029/3736f1c5/atta chment-0001.htm ------------------------------ _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn End of VPN Digest, Vol 6, Issue 16 ********************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031101/72cf01a2/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/octet-stream Size: 46 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20031101/72cf01a2/attachment.obj From kelly_koons at yahoo.com.sg Mon Nov 3 23:28:31 2003 From: kelly_koons at yahoo.com.sg (=?iso-8859-1?q?Kelly=20Koons?=) Date: Tue, 4 Nov 2003 12:28:31 +0800 (CST) Subject: [VPN] VPN contivity 4500 config In-Reply-To: <20031103065817.57914.qmail@web60102.mail.yahoo.com> Message-ID: <20031104042831.43538.qmail@web60107.mail.yahoo.com> All, I have contivity box 4500 running with more then 200 customers on it. I have one more contivity box 4500 which was suppose to be part of redundancy but that never happen. Will appreciate if you can help me with 2 questions 1) - How do I move the existing config from Box A with 200 customer on it to Box B which is empty ( I did try to create some configs manually but its very time consuming). Incase if Box A dies I can point users to Box B. Also can I sync them periodically ? 2)- Can I enable the redundancy btw test 2 boxes to auto failover ? Thanks Kelly- The New Yahoo! Search - Now with image search! The New Yahoo! Search - Now with image search! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031104/f32d2f06/attachment.htm From yroques at fininfo.fr Wed Nov 5 13:27:00 2003 From: yroques at fininfo.fr (ROQUES Yann) Date: Wed, 5 Nov 2003 19:27:00 +0100 Subject: [VPN] Installing FreeS/wan Message-ID: <9F0E818752625641850717A2C8E7C8CC019B3A9F@fininfomail.fininfo.grp> Hi all, I am trying to install freeswan 2.03 on a Red Hat server and it seems to be more complicated than I expected! I am a network guy - I have never installed freeswan - and I don't know much about Linux and "rebuilding kernel", etc... Does anyone know where I can find ressources that describe step by step the installation of freeswan? Thanks in advance! Yann Ce message et toutes les pi?ces jointes (ci-apr?s le "message") sont ?tablis ? l'intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le d?truire et d'en avertir imm?diatement l'exp?diteur. Toute utilisation de ce message non conforme ? sa destination, modification, diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse.FININFO (et ses filiales) d?cline(nt) toute responsabilit? au titre de ce message, dans l'hypoth?se ou il aurait ?t? modifi?, alt?r?, falsifi? ou encore ?dit? ou diffus? sans autorisation. ----------------------------------------------------- This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. Neither FININFO (nor any of its subsidiaries or affiliates) shall be liable for the message if modified, altered, falsified, edited or diffused without authorization. From tbird at precision-guesswork.com Wed Nov 5 15:59:05 2003 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 5 Nov 2003 12:59:05 -0800 (PST) Subject: [VPN] windows network browsing through VPN Message-ID: anyone have decent documentation (or willing to write such a thing for the VPN web site) on the ever-present and annoying question of getting windows systems to be able to browse networks of windows file servers/network drives over a VPN? i haven't had to do it in ages and am hopeful that someone's got good references.... thanks in advance -- tbird From rmalayter at bai.org Wed Nov 5 16:21:43 2003 From: rmalayter at bai.org (Ryan Malayter) Date: Wed, 5 Nov 2003 15:21:43 -0600 Subject: [VPN] windows network browsing through VPN Message-ID: <792DE28E91F6EA42B4663AE761C41C2A012C369D@cliff.bai.org> A working WINS infrastructure with proper WINS replication makes it work for us. Is this a site-to-site issue, or a client-to-gateway issue? > -----Original Message----- > From: vpn-bounces+rmalayter=bai.org at lists.shmoo.com > [mailto:vpn-bounces+rmalayter=bai.org at lists.shmoo.com] On > Behalf Of Tina Bird > Sent: Wednesday, November 05, 2003 2:59 PM > To: vpn at lists.shmoo.com > Subject: [VPN] windows network browsing through VPN > > anyone have decent documentation (or willing to write such a > thing for the > VPN web site) on the ever-present and annoying question of > getting windows > systems to be able to browse networks of windows file servers/network > drives over a VPN? > > i haven't had to do it in ages and am hopeful that someone's got good > references.... > > thanks in advance -- tbird > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From tbird at precision-guesswork.com Wed Nov 5 16:38:37 2003 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 5 Nov 2003 13:38:37 -0800 (PST) Subject: [VPN] windows network browsing through VPN In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2A012C369D@cliff.bai.org> References: <792DE28E91F6EA42B4663AE761C41C2A012C369D@cliff.bai.org> Message-ID: On Wed, 5 Nov 2003, Ryan Malayter wrote: > A working WINS infrastructure with proper WINS replication makes it work > for us. Is this a site-to-site issue, or a client-to-gateway issue? remote access, so client-to-gateway. i've got no idea whether the internal network is running WINS or not -- i'm providing advice in a "friend of a friend" capacity. i've suggested adding the domain controller to the local LMHOSTS on the assumption that it's the master browser for file servers in the domain, but that's a long ago memory and i've no real idea.... From qmitchell at macromed.com Wed Nov 5 16:45:01 2003 From: qmitchell at macromed.com (Quinn Mitchell) Date: Wed, 5 Nov 2003 14:45:01 -0700 Subject: [VPN] windows network browsing through VPN Message-ID: I've tried that but it doesn't work. Neither does a HOSTS entry. -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Wednesday, November 05, 2003 2:39 PM To: Ryan Malayter Cc: vpn at lists.shmoo.com Subject: RE: [VPN] windows network browsing through VPN On Wed, 5 Nov 2003, Ryan Malayter wrote: > A working WINS infrastructure with proper WINS replication makes it work > for us. Is this a site-to-site issue, or a client-to-gateway issue? remote access, so client-to-gateway. i've got no idea whether the internal network is running WINS or not -- i'm providing advice in a "friend of a friend" capacity. i've suggested adding the domain controller to the local LMHOSTS on the assumption that it's the master browser for file servers in the domain, but that's a long ago memory and i've no real idea.... _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From Juan at ideaforest.com Wed Nov 5 16:52:46 2003 From: Juan at ideaforest.com (Juan Gonzalez) Date: Wed, 5 Nov 2003 13:52:46 -0800 Subject: [VPN] windows network browsing through VPN Message-ID: This has worked for me in a Windows VPN environment: Make sure that you do have a windows server running WINS Make sure that the VPN connection has the WINS server IP address and DNS server entries in its properties. That's it! -----Original Message----- From: Quinn Mitchell [mailto:qmitchell at macromed.com] Sent: Wednesday, November 05, 2003 1:45 PM To: Tina Bird Cc: vpn at lists.shmoo.com Subject: RE: [VPN] windows network browsing through VPN I've tried that but it doesn't work. Neither does a HOSTS entry. -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Wednesday, November 05, 2003 2:39 PM To: Ryan Malayter Cc: vpn at lists.shmoo.com Subject: RE: [VPN] windows network browsing through VPN On Wed, 5 Nov 2003, Ryan Malayter wrote: > A working WINS infrastructure with proper WINS replication makes it work > for us. Is this a site-to-site issue, or a client-to-gateway issue? remote access, so client-to-gateway. i've got no idea whether the internal network is running WINS or not -- i'm providing advice in a "friend of a friend" capacity. i've suggested adding the domain controller to the local LMHOSTS on the assumption that it's the master browser for file servers in the domain, but that's a long ago memory and i've no real idea.... _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From jrdepriest at ftb.com Wed Nov 5 17:11:44 2003 From: jrdepriest at ftb.com (DePriest, Jason R.) Date: Wed, 5 Nov 2003 16:11:44 -0600 Subject: [VPN] windows network browsing through VPN Message-ID: > -----Original Message----- > From: vpn-bounces+jrdepriest=ftb.com at lists.shmoo.com > [mailto:vpn-bounces+jrdepriest=ftb.com at lists.shmoo.com] On > Behalf Of Tina Bird > Sent: Wednesday, November 05, 2003 3:39 PM > To: Ryan Malayter > Cc: vpn at lists.shmoo.com > Subject: RE: [VPN] windows network browsing through VPN > > > > On Wed, 5 Nov 2003, Ryan Malayter wrote: > > > A working WINS infrastructure with proper WINS replication > makes it work > > for us. Is this a site-to-site issue, or a client-to-gateway issue? > > remote access, so client-to-gateway. i've got no idea whether the > internal network is running WINS or not -- i'm providing advice in a > "friend of a friend" capacity. i've suggested adding the domain > controller to the local LMHOSTS on the assumption that it's the master > browser for file servers in the domain, but that's a long ago > memory and > i've no real idea.... > I have 15 articles I archived from the Windows 2000 Magazine website a year or so ago while researching the same sort of name resolution issues (which is what it boils down to). I'd be happy to zip them up and ship them to you if you think they might help someone. I don't have the original URLs, but they are named thus: A DNS Primer, Advanced WINS Features, Domain Name Resolution with DNS, How DNS Works, Implementing WINS, Inside a NetBIOS Name Resolution, More LMHOSTS Tips, Name Resolvers WINS vs DNS, Navigating Name Resolution, Part 1, Navigating Name Resolution, Part 2, Need a Name-Resolution Solution, NetBIOS Names and WINS, Pick Users' Domain Controller, and The Case of the Empty Network Neighborhood. -Jason From exo_wa at yahoo.com Wed Nov 5 18:53:55 2003 From: exo_wa at yahoo.com (Exo Wa) Date: Wed, 5 Nov 2003 15:53:55 -0800 (PST) Subject: [VPN] NetScreen 25: VPN Clients keep getting dropped. Message-ID: <20031105235355.8694.qmail@web21009.mail.yahoo.com> Hi, I have set up a Windows 2000 Server as a VPN Server sitting behind a Netscreen 25. It's been working fine...for a while. Currently, users keep complaining that their connections get dropped frequently eventhough they have no problem relogging back in. But the annoying things for them is that it drops almost every other hour. Here's my topology just to give you a little idea: Internet-->Cisco Router--->Netscreen25-->Dell Switch--->VPN Server (on Windows 2000 Server). In NetScreen Policy: I am using the following config: Source Address: ANY Destin.Address: MIP IP Service: PPTP Action: Permit Again, it's been working but just lately a lot of drops. Thanks for any help or pointers at all. Peace, Exo __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree From jef at linuxbe.org Thu Nov 6 03:50:59 2003 From: jef at linuxbe.org (Jean-Francois Dive) Date: Thu, 6 Nov 2003 09:50:59 +0100 Subject: [VPN] windows network browsing through VPN In-Reply-To: References: Message-ID: <20031106085059.GA2443@gardafou.assamite.eu.org> this is basically not specific at all to VPN's, but to routed infrastructures (put a router in the middle of your lan and you'll have the exact same problem). As already mentioned, WINS server or proper DNS/LDAP setup in w2k+ network type should make the thing work. On Wed, Nov 05, 2003 at 12:59:05PM -0800, Tina Bird wrote: > anyone have decent documentation (or willing to write such a thing for the > VPN web site) on the ever-present and annoying question of getting windows > systems to be able to browse networks of windows file servers/network > drives over a VPN? > > i haven't had to do it in ages and am hopeful that someone's got good > references.... > > thanks in advance -- tbird > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From Andrew.Prince at TrinitySecurity.com Thu Nov 6 05:09:15 2003 From: Andrew.Prince at TrinitySecurity.com (Andrew Prince) Date: Thu, 6 Nov 2003 10:09:15 -0000 Subject: [VPN] VPN contivity 4500 config In-Reply-To: <20031104042831.43538.qmail@web60107.mail.yahoo.com> Message-ID: <001401c3a44e$08ea4100$0b0ba8c0@007> Yes can do both - item 2 requires a advanced routing licence, if you have one then all is OK. If you email me directly I will send you a PDF of how to copy and transfer configurations, also thje configuration for fail over. -----Original Message----- From: vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com [mailto:vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com] On Behalf Of Kelly Koons Sent: 04 November 2003 04:29 To: vpn at lists.shmoo.com Subject: [VPN] VPN contivity 4500 config All, I have contivity box 4500 running with more then 200 customers on it. I have one more contivity box 4500 which was suppose to be part of redundancy but that never happen. Will appreciate if you can help me with 2 questions 1) - How do I move the existing config from Box A with 200 customer on it to Box B which is empty ( I did try to create some configs manually but its very time consuming). Incase if Box A dies I can point users to Box B. Also can I sync them periodically ? 2)- Can I enable the redundancy btw test 2 boxes to auto failover ? Thanks Kelly- The New Yahoo! Search - Now with image search ! The New Yahoo! Search - Now with image search ! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031106/b232229f/attachment.htm From mzimmerman at icsalabs.com Fri Nov 7 08:46:10 2003 From: mzimmerman at icsalabs.com (Zimmerman, Mark) Date: Fri, 7 Nov 2003 08:46:10 -0500 Subject: [VPN] VPN Advanced Troubleshooting Guide Message-ID: Tina/All Here is a URL that may be of interest to anyone trying to implement and get a VPN solution to interoperate. Many people (including me) have been pestering Darren Hartman, our Lead Security Analyst to put some of his vast experience on paper and provide a guide for config and troubleshooting. Regards, Comments welcome http://www.icsalabs.com/html/communities/ipsec/IPsec_Advanced_Toubleshooting _Guide%20Final.pdf Mark Zimmerman IPSec/Cryptography Program Manager ICSA Labs 1000 Bent Creek Blvd, Suite 200 Mechanicsburg PA 17050 Phone: 717.790.8144 Fax: 717.790.8170 mzimmerman at icsalabs.com www.icsalabs.com *********************************************************************** This message is intended only for the use of the intended recipient and may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately. *********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031107/4b6f8eab/attachment.htm From secbyte at squarework.com Fri Nov 7 09:20:56 2003 From: secbyte at squarework.com (secbyte at squarework.com) Date: Fri, 07 Nov 2003 09:20:56 -0500 Subject: [VPN] Speed Message-ID: <3FABAA48.2090603@squarework.com> I just put a netopia VPN up between Andover NJ and Knoxville Tenn, using safenet as the IPSec client. Any ideas why it is so slow, and how to speed it up? It is an accountant looking at a 168 meg quickbooks file. I suspect its size matters but any ideas? George From agh3 at tlcnetworks.com Sat Nov 8 01:54:53 2003 From: agh3 at tlcnetworks.com (Andrew Hargreave) Date: Sat, 8 Nov 2003 00:54:53 -0600 Subject: [VPN] Speed Message-ID: George, You don't provide us with any connection rates on both ends of the VPN. However, a 168meg Quickbooks file opening across the wire is really unrealistic given how Quickbooks accesses the files. If the accountant really needs to access Quickbooks from a remote location, I would suggest using Terminal Services via the VPN. Andrew G. Hargreave, III (GIAC Security Essentials Certified) secbyte at squarework.com Sent by: vpn-bounces+agh3=tlcnetworks.com at lists.shmoo.com 11/07/2003 08:20 AM To: vpn maillist cc: Subject: [VPN] Speed I just put a netopia VPN up between Andover NJ and Knoxville Tenn, using safenet as the IPSec client. Any ideas why it is so slow, and how to speed it up? It is an accountant looking at a 168 meg quickbooks file. I suspect its size matters but any ideas? George _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031108/8dca6b0d/attachment.htm From dan_linder at yahoo.com Sat Nov 8 01:54:56 2003 From: dan_linder at yahoo.com (Daniel Linder) Date: Fri, 7 Nov 2003 22:54:56 -0800 (PST) Subject: [VPN] Speed In-Reply-To: <3FABAA48.2090603@squarework.com> Message-ID: <20031108065456.47752.qmail@web11606.mail.yahoo.com> --- secbyte at squarework.com wrote: > I just put a netopia VPN up between Andover NJ and Knoxville Tenn, > using safenet as the > IPSec client. Any ideas why it is so slow, and how to speed it up? > It is an accountant > looking at a 168 meg quickbooks file. I suspect its size matters but > any ideas? First off, what are the upload and download speeds of each end of the VPN? Just doing the math, a 168MB file on a 10Mb LAN connection (or 11Mb wireless) would take 3 minutes to copy assuming 70% efficiency of the TCP/IP ethernet. Now, if the links on each end are T1's (1.544 Mbit/sec) the time goes up to 21 minutes (again at 70% efficency). Computations: 128k: (168MBytes) / (128kbit/sec) * (8192bits/Byte) / (0.70) = 15360 sec (4.25 hours!) T1: (168MBytes) / (1.544Mbit/sec) * (8bits/Byte) / (0.70) = 1243 sec 10Mb: (168MBytes) / (10Mbit/sec) * (8bits/Byte) / (0.70) = 192 sec 100Mb:(168MBytes) / (100Mbit/sec) * (8bits/Byte) / (0.70) = 19 sec What times were you expecting? Dan __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree From Andrew.Prince at TrinitySecurity.com Sat Nov 8 05:25:09 2003 From: Andrew.Prince at TrinitySecurity.com (Andrew Prince) Date: Sat, 8 Nov 2003 10:25:09 -0000 Subject: [VPN] NetScreen 25: VPN Clients keep getting dropped. In-Reply-To: <20031105235355.8694.qmail@web21009.mail.yahoo.com> Message-ID: <001701c3a5e2$962cb490$0201a8c0@007> What are your VPN numbers? Can the 25 handle that number of users? Check you timeout's & keep lives? -----Original Message----- From: vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com [mailto:vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com] On Behalf Of Exo Wa Sent: 05 November 2003 23:54 To: vpn at lists.shmoo.com Subject: [VPN] NetScreen 25: VPN Clients keep getting dropped. Hi, I have set up a Windows 2000 Server as a VPN Server sitting behind a Netscreen 25. It's been working fine...for a while. Currently, users keep complaining that their connections get dropped frequently eventhough they have no problem relogging back in. But the annoying things for them is that it drops almost every other hour. Here's my topology just to give you a little idea: Internet-->Cisco Router--->Netscreen25-->Dell Switch--->VPN Server (on Windows 2000 Server). In NetScreen Policy: I am using the following config: Source Address: ANY Destin.Address: MIP IP Service: PPTP Action: Permit Again, it's been working but just lately a lot of drops. Thanks for any help or pointers at all. Peace, Exo __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From TSimons at Delphi-Tech.com Fri Nov 7 13:48:13 2003 From: TSimons at Delphi-Tech.com (TSimons at Delphi-Tech.com) Date: Fri, 7 Nov 2003 13:48:13 -0500 Subject: [VPN] [rapt] Greater than DES overseas Message-ID: <20031107184818.99B4F10738@hangar19.firetower.com> Hello Everyone. Does anyone know if encryption levels higher than DES are allowed overseas yet, namely in China. Someplace I can look on the web? ...google returned some, stuff but no direct answers. Thanks, ~Todd __________________________________ Todd M. Simons Senior MIS Engineer Dell Tier 1 PA Technician Delphi Technology, Inc. New Brunswick, NJ Note: The contents of this email do not constitute a legally binding commitment. * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * Sponsored by FireTower, Inc. --[ Internet Security Consulting ]-- * http://www.firetower.com Security Architecture Design, * info at firetower.com Vulnerability Assessments, * 508/359-4490 ph Firewalls, VPN, IDS, Content Control, * 508/359-4466 fx Policy Management, Training, etc. * * Before posting, please check the following resources: * SEF/Raptor FAQs http://www.firetower.com/faqs/ * Searchable Archives http://firetower.com/archives.html * Patches/Hotfixes http://www.symantec.com/techsupp/enterprise/ * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From kelly_koons at yahoo.com.sg Sat Nov 8 14:06:37 2003 From: kelly_koons at yahoo.com.sg (=?iso-8859-1?q?Kelly=20Koons?=) Date: Sun, 9 Nov 2003 03:06:37 +0800 (CST) Subject: [VPN] VPN user authentication via Shiva Access Manager 5.0 In-Reply-To: <001701c3a5e2$962cb490$0201a8c0@007> Message-ID: <20031108190637.28633.qmail@web60110.mail.yahoo.com> All, I am using Shiva Access Manager on Solair to authenticate the VPN users. Fore a week I am having some issues with the SAM. When ever I add a new user it disappear right away. I am wounding if anyone of you have seen the same issue ? I would really appreciate some help on this. Thanks Kelly- The New Yahoo! Search - Now with image search! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031109/32283914/attachment.htm From bjaber at ipass.com Sat Nov 8 14:30:12 2003 From: bjaber at ipass.com (Basim Jaber) Date: Sat, 8 Nov 2003 11:30:12 -0800 Subject: [VPN] windows network browsing through VPN Message-ID: Here's some food for thought... Not all VPN clients are alike. The two "main" types are "shim" and "virtual adapter". If a VPN client can be installed and obtain it's own IP, DNS, WINS, etc from the gateway and/or a DHCP server behind the gateway, then this is the best approach. However, the problem arises when VPN clients are installed in a shim mode and "bind" to existing Internet connections. Clients that bind to existing connections will use the DNS, IP, WINS, etc from that connection. So if you connected to the Internet via some remote ISP (via modem, ISDN, DSL, WiFi, Ethernet broadband, etc, you'll get an IP address which your VPN gateway doesn't know about and you'll get DNS entries from that ISP which may only be able to resolve your external interface resources (i.e. the VPN gateway address, a web address, nothing internal). In just about all the cases I've seen, a connection to the Internet with a remote ISP never hands down WINS addresses. For that matter "shim" type VPN clients will fail to allow to to resolve NetBIOS hostnames. Even if you use Active Directory DDNS, you still can't resolve as the AD DDNS servers would be behing the VPN gateway and the external DNS servers from the ISP don't contain name resolution records for your internal servers (they better not!). Here's a small list of the VPN's that I've worked extensively with which will let you get whatever the ISP gives you and then ALSO let you have an IP, DNS, and/or WINS from the VPN: - Cisco VPN 3000 Concentrator Series and VPN Client - Nortel Convitivity Extranet - Check Point (NG FP1 or later with "Office Mode") - Microsoft PPTP or L2TP/IPSec - Shiva LAN Rover VPN (formerly Intel Netstructure...Shiva bought it back) There are PLENTY more, but these are the ones I've worked extensively with and have had no problems with name resolution (WINS or D/DNS). Hope this helps. ________________________________ Basim S. Jaber Senior Systems Engineer Field Sales - North America iPass, Inc. bjaber at iPass.com -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Wednesday, November 05, 2003 12:59 PM To: vpn at lists.shmoo.com Subject: [VPN] windows network browsing through VPN anyone have decent documentation (or willing to write such a thing for the VPN web site) on the ever-present and annoying question of getting windows systems to be able to browse networks of windows file servers/network drives over a VPN? i haven't had to do it in ages and am hopeful that someone's got good references.... thanks in advance -- tbird _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3732 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20031108/99cc0ce4/attachment.bin From dr_t1mel0rd at hotmail.com Sat Nov 8 16:05:24 2003 From: dr_t1mel0rd at hotmail.com (Dr T1meL0rD) Date: Sat, 08 Nov 2003 16:05:24 -0500 Subject: [VPN] [rapt] Greater than DES overseas Message-ID: Try http://www.bxa.doc.gov/Encryption/ -----Original Message----- From: TSimons at Delphi-Tech.com [mailto:TSimons at Delphi-Tech.com] Sent: Friday, November 07, 2003 1:48 PM To: raptor-list at firetower.com Subject: [VPN] [rapt] Greater than DES overseas Hello Everyone. Does anyone know if encryption levels higher than DES are allowed overseas yet, namely in China. Someplace I can look on the web? ...google returned some, stuff but no direct answers. Thanks, ~Todd __________________________________ Todd M. Simons Senior MIS Engineer Dell Tier 1 PA Technician Delphi Technology, Inc. New Brunswick, NJ Note: The contents of this email do not constitute a legally binding commitment. * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * Sponsored by FireTower, Inc. --[ Internet Security Consulting ]-- * http://www.firetower.com Security Architecture Design, * info at firetower.com Vulnerability Assessments, * 508/359-4490 ph Firewalls, VPN, IDS, Content Control, * 508/359-4466 fx Policy Management, Training, etc. * * Before posting, please check the following resources: * SEF/Raptor FAQs http://www.firetower.com/faqs/ * Searchable Archives http://firetower.com/archives.html * Patches/Hotfixes http://www.symantec.com/techsupp/enterprise/ * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _________________________________________________________________ Send a QuickGreet with MSN Messenger http://www.msnmessenger-download.com/tracking/cdp_games From piranhabros at yahoo.com Sat Nov 8 16:07:40 2003 From: piranhabros at yahoo.com (Michael Batchelder) Date: Sat, 8 Nov 2003 13:07:40 -0800 (PST) Subject: [VPN] Re: Speed In-Reply-To: <20031108183843.4D61A16B51@mail.iocaine.com> Message-ID: <20031108210740.5572.qmail@web13807.mail.yahoo.com> > Message: 6 > Date: Sat, 8 Nov 2003 00:54:53 -0600 > From: Andrew Hargreave > Subject: Re: [VPN] Speed > To: vpn maillist > Message-ID: > Content-Type: text/plain; charset="us-ascii" > > George, > You don't provide us with any connection rates on both ends of > the VPN. However, a 168meg Quickbooks file opening across the > wire is really unrealistic given how Quickbooks accesses the > files. If the accountant really needs to access Quickbooks > from a remote location, I would suggest > using Terminal Services via the VPN. > > Andrew G. Hargreave, III (GIAC Security Essentials > Certified) I concur with Andrew's assessment regarding Quickbooks' doing file access that makes opening remote Quickbook files painfully slow. The app wants to access its data files thru standard file system protocols. So break out a packet sniffer and you'll see the usual tons of M$ Networking file share traffic going down your pipe, and waiting for responses, on top of the file size issue that Dan calculated in the next post. To go one step further, Quickbooks says that the app was never meant to work in a remote access environment. They will offer to sell you the webified version, though! Binky __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree From TSimons at Delphi-Tech.com Mon Nov 10 20:37:13 2003 From: TSimons at Delphi-Tech.com (TSimons at Delphi-Tech.com) Date: Mon, 10 Nov 2003 20:37:13 -0500 Subject: [VPN] windows network browsing through VPN Message-ID: <880E60DA7286AB4CBEECB01B169A63BD142C851A@NJ-2K-Email1.delphi-tech.com> LMHOSTS works if you use the #PRE and #DOM [domainname] switches for your domain controller, and also register your domain with proper 15 character padding and ending with a special character in the 16th character. I will tell you this though... If your going to NAT your VPN enties into a DMZ network (2 firewall setup) you will run into problems with Netbios, because it embeds the source of the traffic in the payload of the packets, which destroys any transform rules. This setup looks like this: Client===[VPNGW]----[CorpFW]-- -----Original Message----- From: Quinn Mitchell [mailto:qmitchell at macromed.com] Sent: Wednesday, November 05, 2003 4:45 PM To: Tina Bird Cc: vpn at lists.shmoo.com Subject: RE: [VPN] windows network browsing through VPN I've tried that but it doesn't work. Neither does a HOSTS entry. -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Wednesday, November 05, 2003 2:39 PM To: Ryan Malayter Cc: vpn at lists.shmoo.com Subject: RE: [VPN] windows network browsing through VPN On Wed, 5 Nov 2003, Ryan Malayter wrote: > A working WINS infrastructure with proper WINS replication makes it work > for us. Is this a site-to-site issue, or a client-to-gateway issue? remote access, so client-to-gateway. i've got no idea whether the internal network is running WINS or not -- i'm providing advice in a "friend of a friend" capacity. i've suggested adding the domain controller to the local LMHOSTS on the assumption that it's the master browser for file servers in the domain, but that's a long ago memory and i've no real idea.... _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From Erik.Hofmann at infineon.com Wed Nov 12 04:10:15 2003 From: Erik.Hofmann at infineon.com (Erik.Hofmann at infineon.com) Date: Wed, 12 Nov 2003 10:10:15 +0100 Subject: [VPN] open source based IPSec products? Message-ID: <06C7023092FF1846A04FC76A17576A0801E5FE1D@mucse002.eu.infineon.com> Dear all, Hopefully this is no FAQ with which I bore you ;-) If yes, please forgive me. I am looking for information / product list about open source based IPSec encryptors for high security requirements. general requirements are: * open source based crypto algorithms implementation and/or certified by some authority of EU (eg like the BSI in germany) * applicable in large environments: redundancy, appropriate tools for central management and monitoring, maybe hardware acceleration for high bandwidth links * The company should be able to offer operations support for its boxes for a global acting company * desirable would be a european product kindly regards Erik From b_moyer at charter.net Wed Nov 12 14:38:54 2003 From: b_moyer at charter.net (Brian at Charter) Date: Wed, 12 Nov 2003 14:38:54 -0500 Subject: [VPN] Neophite question Message-ID: <000801c3a954$9bc853d0$6401a8c0@bioeng.pitt.edu> To anyone willing to help! I used to be able to use access my office computer network from home through my ISP. As I am sure you all know, the worms from earlier this year caused many ISPs to block certain ports that now make access the old way impossible. So, I tried to set up a VPN access point. After allowing IPSec and PPTP pass through on my home router, I am now able to connect to my office desktop from home through VPN. The problem is, once I make this connection, my ability to get to the internet is destroyed. I can no longer surf the web, send emails, etc. Although I can ping my office machine, I can not get to any of my shares and I can not ping any other machines at work. I am running Windows 2000 on both machines. I do not even know what other information would help to diagnose this problem. If you could please point me in the right direction, I would really appreciate it. Kindly, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031112/a1bc84d2/attachment.htm From gpratts at vscinc.com Wed Nov 12 17:41:40 2003 From: gpratts at vscinc.com (Glenda Pratts) Date: Wed, 12 Nov 2003 16:41:40 -0600 Subject: [VPN] VPN tunnel between 2 Cisco 1721 Routers Message-ID: Hello, I am trying to set up an IPSec tunnel between two Cisco 1721 routers (with VPN modules installed) between two networks using private IP addresses. Both routers are connected to the internet via a fractional T1, and are running Cisco IOS version 12.2(13). I would like to set up encryption for all data sent through the tunnel, and use NAT for all traffic not sent through the tunnel. Any assistance configuring the VPN and the NAT is greatly appreciated. Thanks, Glenda Pratts System Administrator Valve Systems and Controls 501 W. 38th Street Houston, Texas 77018 713.742.1015 (direct) 713.742.1010 (fax) From roger.qian at sholodge.com Thu Nov 13 12:30:46 2003 From: roger.qian at sholodge.com (Roger Qian) Date: Thu, 13 Nov 2003 11:30:46 -0600 Subject: [VPN] Cisco 3015 conentrator Message-ID: Hi, Does Cisco 3015 concentrator need a firewall to protect hacking? Thanks, Roger -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031113/db35c44e/attachment.htm From brian at shmoo.com Thu Nov 13 12:42:20 2003 From: brian at shmoo.com (Brian Wotring) Date: Thu, 13 Nov 2003 10:42:20 -0700 Subject: [VPN] Cisco 3015 conentrator In-Reply-To: References: Message-ID: Yes, and I recommend unplugging it and burying it in your backyard. On Nov 13, 2003, at 10:30 AM, Roger Qian wrote: > Hi, > > Does Cisco 3015 concentrator need a firewall to protect hacking? > > Thanks, > > Roger > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- Brian Wotring ( brian at shmoo.com ) PGP KeyID: 0x9674763D From djdawso at qwest.com Thu Nov 13 13:35:07 2003 From: djdawso at qwest.com (Dana J. Dawson) Date: Thu, 13 Nov 2003 12:35:07 -0600 Subject: [VPN] Cisco 3015 conentrator In-Reply-To: References:

Message-ID: <3FB3CEDB.4020606@qwest.com> In a more helpful vein, The 3000 has default filters on the public interface that should do a reasonable job of restricting traffic to just that used by the various VPN technologies it supports. You can tighten them down if you know you won't use a particular protocol, but you can't remove the list if you want to terminate VPN's (though nothing stops you from permitting all traffic through the filter, which would be a bad thing to do). However, these filters don't provide any DoS protection to the 3000, so there would be a benefit in that regard in having an external firewall, assuming it provided such protection. I've not seen any reports of a 3000 being hacked, but there was a vulnerability a while back that could allow unintended traffic through the concentrator but that's been fixed for a long time (I forget the details, but it'd be easy to find on Cisco's site). It's not a gaping hole in your security if you don't protect with a firewall so I would argue that you don't *need* a firewall in front of it. The 3000 is, in fact, one of the nicer VPN concentrators on the market in my opinion. It's not perfect, but nothing is. HTH Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Communications (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." Brian Wotring wrote: > > Yes, and I recommend unplugging it and burying it in your backyard. > > On Nov 13, 2003, at 10:30 AM, Roger Qian wrote: > >> Hi, >> >> Does Cisco 3015 concentrator need a firewall to protect hacking? >> >> Thanks, >> >> Roger >> _______________________________________________ >> VPN mailing list >> VPN at lists.shmoo.com >> http://lists.shmoo.com/mailman/listinfo/vpn > > > -- > Brian Wotring ( brian at shmoo.com ) > PGP KeyID: 0x9674763D > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From billford at billford.com Thu Nov 13 13:46:56 2003 From: billford at billford.com (Bill Mathews) Date: Thu, 13 Nov 2003 13:46:56 -0500 (EST) Subject: [VPN] Cisco 3015 conentrator In-Reply-To: <3FB3CEDB.4020606@qwest.com> References:

<3FB3CEDB.4020606@qwest.com> Message-ID: <33195.208.40.63.218.1068749216.squirrel@www.billford.com> I would agree completely with it being "one of the nicer vpn concentrators..." However, I would contend that you certainly should have a firewall in front of it. It is a generally regarded best practice to control as much access to your network from a central place (your firewall) as possible. The filters are decent but do not offer full blown protection. Although the VPN Concentrators are a very well implemented solution, they are still vulnerable to things. I would suggest it be behind your firewall as another layer of protection. My $.02 -- Bill Mathews Open Source Software Advocate billford at billford.com "Don't hate it because its Microsoft, hate because its bad" The wise and noble Dana J. Dawson spiteth forth upon the land, these thoughts: > In a more helpful vein, The 3000 has default filters on the public > interface that should do a reasonable job of restricting traffic to just > that used by the various VPN technologies it supports. You can tighten > them down if you know you won't use a particular protocol, but you can't > remove the list if you want to terminate VPN's (though nothing stops you > from permitting all traffic through the filter, which would be a bad > thing to do). However, these filters don't provide any DoS protection > to the 3000, so there would be a benefit in that regard in having an > external firewall, assuming it provided such protection. I've not seen > any reports of a 3000 being hacked, but there was a vulnerability a > while back that could allow unintended traffic through the concentrator > but that's been fixed for a long time (I forget the details, but it'd be > easy to find on Cisco's site). It's not a gaping hole in your security > if you don't protect with a firewall so I would argue that you don't > *need* a firewall in front of it. The 3000 is, in fact, one of the > nicer VPN concentrators on the market in my opinion. It's not perfect, > but nothing is. > > HTH > > Dana > > -- > > Dana J. Dawson djdawso at qwest.com > Senior Staff Engineer CCIE #1937 > Qwest Communications (612) 664-3364 > 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) > Minneapolis MN 55413-2620 > > "Hard is where the money is." > > > Brian Wotring wrote: > >> >> Yes, and I recommend unplugging it and burying it in your backyard. >> >> On Nov 13, 2003, at 10:30 AM, Roger Qian wrote: >> >>> Hi, >>> >>> Does Cisco 3015 concentrator need a firewall to protect hacking? >>> >>> Thanks, >>> >>> Roger >>> _______________________________________________ >>> VPN mailing list >>> VPN at lists.shmoo.com >>> http://lists.shmoo.com/mailman/listinfo/vpn >> >> >> -- >> Brian Wotring ( brian at shmoo.com ) >> PGP KeyID: 0x9674763D >> >> _______________________________________________ >> VPN mailing list >> VPN at lists.shmoo.com >> http://lists.shmoo.com/mailman/listinfo/vpn >> > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From alan.trevillion at bankofamerica.com Fri Nov 14 03:00:17 2003 From: alan.trevillion at bankofamerica.com (Trevillion, Alan) Date: Fri, 14 Nov 2003 08:00:17 -0000 Subject: [VPN] Neophite question Message-ID: <711B34371492D411908B00508BF9BE2E075A7C55@crotmp07.emea.bankofamerica.com> This sounds like a mixture of issues, but I suspect the you loose Internet connectivity because you may be Tunnelling all traffic. Once you are in the Private LAN at your office it cannot find a Route back out. Share connection relies on WINS Servers so you may have to allow Tunnelling of Default Gateways and WINS Servers once connected. I suspect you have to export these parameters once you are connected. Cheers Alan -----Original Message----- From: Brian at Charter [mailto:b_moyer at charter.net] Sent: 12 November 2003 19:39 To: vpn at lists.shmoo.com Subject: [VPN] Neophite question To anyone willing to help! I used to be able to use access my office computer network from home through my ISP. As I am sure you all know, the worms from earlier this year caused many ISPs to block certain ports that now make access the old way impossible. So, I tried to set up a VPN access point. After allowing IPSec and PPTP pass through on my home router, I am now able to connect to my office desktop from home through VPN. The problem is, once I make this connection, my ability to get to the internet is destroyed. I can no longer surf the web, send emails, etc. Although I can ping my office machine, I can not get to any of my shares and I can not ping any other machines at work. I am running Windows 2000 on both machines. I do not even know what other information would help to diagnose this problem. If you could please point me in the right direction, I would really appreciate it. Kindly, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031114/1eb745ca/attachment.htm From jef at linuxbe.org Fri Nov 14 03:20:19 2003 From: jef at linuxbe.org (Jean-Francois Dive) Date: Fri, 14 Nov 2003 09:20:19 +0100 Subject: [VPN] VPN tunnel between 2 Cisco 1721 Routers In-Reply-To: References: Message-ID: <20031114082019.GB1232@gardafou.assamite.eu.org> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml On Wed, Nov 12, 2003 at 04:41:40PM -0600, Glenda Pratts wrote: > Hello, > > I am trying to set up an IPSec tunnel between two Cisco 1721 routers (with > VPN modules installed) between two networks using private IP addresses. Both > routers are connected to the internet via a fractional T1, and are running > Cisco IOS version 12.2(13). I would like to set up encryption for all data > sent through the tunnel, and use NAT for all traffic not sent through the > tunnel. Any assistance configuring the VPN and the NAT is greatly > appreciated. > > Thanks, > > Glenda Pratts > System Administrator > Valve Systems and Controls > 501 W. 38th Street > Houston, Texas 77018 > 713.742.1015 (direct) > 713.742.1010 (fax) > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From losttoy2000 at yahoo.co.uk Fri Nov 14 06:58:02 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Fri, 14 Nov 2003 11:58:02 +0000 (GMT) Subject: [VPN] Cisco 3015 conentrator In-Reply-To: <3FB3CEDB.4020606@qwest.com> Message-ID: <20031114115802.46714.qmail@web25105.mail.ukl.yahoo.com> Depends on whether you already have a firewall. If you already have a firewall then I would argue to keep it behind the firewall. One reason is DoS attacks and second is that the network shouldn't have two parallel points of access. But again, even if you did put in parallely there would hardly be much of a security risk. Siddhartha --- "Dana J. Dawson" wrote: > In a more helpful vein, The 3000 has default filters > on the public > interface that should do a reasonable job of > restricting traffic to just > that used by the various VPN technologies it > supports. You can tighten > them down if you know you won't use a particular > protocol, but you can't > remove the list if you want to terminate VPN's > (though nothing stops you > from permitting all traffic through the filter, > which would be a bad > thing to do). However, these filters don't provide > any DoS protection > to the 3000, so there would be a benefit in that > regard in having an > external firewall, assuming it provided such > protection. I've not seen > any reports of a 3000 being hacked, but there was a > vulnerability a > while back that could allow unintended traffic > through the concentrator > but that's been fixed for a long time (I forget the > details, but it'd be > easy to find on Cisco's site). It's not a gaping > hole in your security > if you don't protect with a firewall so I would > argue that you don't > *need* a firewall in front of it. The 3000 is, in > fact, one of the > nicer VPN concentrators on the market in my opinion. > It's not perfect, > but nothing is. > > HTH > > Dana > > -- > > Dana J. Dawson djdawso at qwest.com > Senior Staff Engineer CCIE #1937 > Qwest Communications (612) 664-3364 > 600 Stinson Blvd., Suite 1S (612) 664-4779 > (FAX) > Minneapolis MN 55413-2620 > > "Hard is where the money is." > > > Brian Wotring wrote: > > > > > Yes, and I recommend unplugging it and burying it > in your backyard. > > > > On Nov 13, 2003, at 10:30 AM, Roger Qian wrote: > > > >> Hi, > >> > >> Does Cisco 3015 concentrator need a firewall to > protect hacking? > >> > >> Thanks, > >> > >> Roger > >> _______________________________________________ > >> VPN mailing list > >> VPN at lists.shmoo.com > >> http://lists.shmoo.com/mailman/listinfo/vpn > > > > > > -- > > Brian Wotring ( brian at shmoo.com ) > > PGP KeyID: 0x9674763D > > > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn > > > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk From TSimons at Delphi-Tech.com Sat Nov 15 08:36:04 2003 From: TSimons at Delphi-Tech.com (TSimons at Delphi-Tech.com) Date: Sat, 15 Nov 2003 08:36:04 -0500 Subject: [VPN] Neophite question Message-ID: <880E60DA7286AB4CBEECB01B169A63BD142C8614@NJ-2K-Email1.delphi-tech.com> What VPN client are you using? What are your local DNS settings before/after your vpn connection? Is your company utilizing Global VPNs? -----Original Message----- From: Brian at Charter To: vpn at lists.shmoo.com Sent: 11/12/2003 2:38 PM Subject: [VPN] Neophite question To anyone willing to help! I used to be able to use access my office computer network from home through my ISP. As I am sure you all know, the worms from earlier this year caused many ISPs to block certain ports that now make access the old way impossible. So, I tried to set up a VPN access point. After allowing IPSec and PPTP pass through on my home router, I am now able to connect to my office desktop from home through VPN. The problem is, once I make this connection, my ability to get to the internet is destroyed. I can no longer surf the web, send emails, etc. Although I can ping my office machine, I can not get to any of my shares and I can not ping any other machines at work. I am running Windows 2000 on both machines. I do not even know what other information would help to diagnose this problem. If you could please point me in the right direction, I would really appreciate it. Kindly, Brian <> From gwc at acm.org Sat Nov 15 13:12:55 2003 From: gwc at acm.org (George W. Capehart) Date: Sat, 15 Nov 2003 13:12:55 -0500 Subject: [VPN] Neophite question In-Reply-To: <000801c3a954$9bc853d0$6401a8c0@bioeng.pitt.edu> References: <000801c3a954$9bc853d0$6401a8c0@bioeng.pitt.edu> Message-ID: <200311151312.55672.gwc@acm.org> On Wednesday 12 November 2003 02:38 pm, Brian at Charter wrote: > > After allowing IPSec and PPTP pass through on my home router, I am > now able to connect to my office desktop from home through VPN. The > problem is, once I make this connection, my ability to get to the > internet is destroyed. I can no longer surf the web, send emails, > etc. Although I can ping my office machine, I can not get to any of > my shares and I can not ping any other machines at work. Hello Brian, This is as it should be. Think about it for a minute . . . If you could both access your office LAN and the Internet, you'd be a back door into your office LAN. Your corporate security folks would probably have a problem with that . . . ;> /g -- George Capehart "I'd rather have a bottle in front of me than a frontal lobotomy." -- Unknown From evyncke at cisco.com Sat Nov 15 15:09:56 2003 From: evyncke at cisco.com (Eric Vyncke) Date: Sat, 15 Nov 2003 21:09:56 +0100 Subject: [VPN] VPN tunnel between 2 Cisco 1721 Routers In-Reply-To: Message-ID: <5.1.0.14.2.20031115210504.05fe0c08@localhost> You should browse on the Cisco web site to find some examples... Notably: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml If you have multiple subnets behind those routers, you should probably use the combination of GRE & IPsec (aka 'tunnel protection'). Else, 'plain' IPsec should be enough. To bypass NAT for encrypted traffic, you need to use a trick called 'route-map': ip nat inside source route-map NO_NAT interface ??? overload route-map NO_NAT permit 10 match ip address 100 access-list 100 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 access-list 100 permit ip 10.1.1.0 0.0.0.255 any Assuming that the encrypted traffic is from 10.1.1.0/24 to 10.2.2.0/24 -eric At 16:41 12/11/2003 -0600, Glenda Pratts wrote: >Hello, > >I am trying to set up an IPSec tunnel between two Cisco 1721 routers (with >VPN modules installed) between two networks using private IP addresses. Both >routers are connected to the internet via a fractional T1, and are running >Cisco IOS version 12.2(13). I would like to set up encryption for all data >sent through the tunnel, and use NAT for all traffic not sent through the >tunnel. Any assistance configuring the VPN and the NAT is greatly >appreciated. > >Thanks, > >Glenda Pratts >System Administrator >Valve Systems and Controls >501 W. 38th Street >Houston, Texas 77018 >713.742.1015 (direct) >713.742.1010 (fax) > > >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031115/8dd80036/attachment.htm From davepier at optusnet.com.au Mon Nov 17 06:17:30 2003 From: davepier at optusnet.com.au (David Pierson) Date: Mon, 17 Nov 2003 21:17:30 +1000 Subject: [VPN] Neophite question References: <000801c3a954$9bc853d0$6401a8c0@bioeng.pitt.edu> Message-ID: <00aa01c3acfc$64d320c0$0701000a@qld.optushome.com.au> My first thought would be the "Use default gateway on remote network" checkbox, which on my system is in the TCP/IP Settings popup in the Dial up Networking properties for the connection. This controls traffic that isn't directly aimed at the VPN - whether it goes direct to the internet or via the office. Try clearing this checkbox. Many say that it is a security hole to have a window open to the 'net while also connected to your VPN as it provides a back door for nasties. I'll leave that for others to decide :-) Hope this helps David Pierson Brisbane ----- Original Message ----- From: Brian at Charter To: vpn at lists.shmoo.com Sent: Thursday, November 13, 2003 5:38 AM Subject: [VPN] Neophite question To anyone willing to help! I used to be able to use access my office computer network from home through my ISP. As I am sure you all know, the worms from earlier this year caused many ISPs to block certain ports that now make access the old way impossible. So, I tried to set up a VPN access point. After allowing IPSec and PPTP pass through on my home router, I am now able to connect to my office desktop from home through VPN. The problem is, once I make this connection, my ability to get to the internet is destroyed. I can no longer surf the web, send emails, etc. Although I can ping my office machine, I can not get to any of my shares and I can not ping any other machines at work. I am running Windows 2000 on both machines. I do not even know what other information would help to diagnose this problem. If you could please point me in the right direction, I would really appreciate it. Kindly, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031117/7e16ce57/attachment.htm From yipiha at yahoo.com Wed Nov 19 03:04:42 2003 From: yipiha at yahoo.com (yous) Date: Wed, 19 Nov 2003 00:04:42 -0800 (PST) Subject: [VPN] Windows 2000 Certificates Message-ID: <20031119080442.50879.qmail@web13501.mail.yahoo.com> Hi all, I have a problem configuring my vpn ends so I can't access the lan using certificate authentication. Maybe some of you can help. Note: As this was a test we do not work through the net yet but it works as if we were so please do not consider it when establishing possible problem WORKING CINFIGURATION (NO CERTIFICATES) Domain Controller XXL - NIC001: 192.168.1.1 (lan XXL) Active directory contains the user john.doe and his password. VPN Server - NIC001: 192.168.1.10 (lan XXL) NIC002: 192.168.100.100 (vpn connection) with ms-chap v2 for windows authentication (no RADIUS). VPN Client - NIC001: 192.168.100.200 (vpn connection) john.doe connects via a VPN connection pointing to the vpn server and using ms- chap v2 for authentication. The connection port is automatic. The way I understand it is: when I want to establish the connection, the VPN client is not on the network XXL so cannot contact the domain controller but it retains the domain information from previous cached login. Hence, when the connection is started the username/password is somehow checked against the active directory and the connection is established following: client ----------------request connection---------------------> server server -----requests authentication information--------> client client ----------------send infomation-------------------------> server server --------request check on information -------------> domain controller (DC) DC ----------- authentify the user/pass combination---> server server ------------accept connection -------------------------> client NOT WORKING CONFIGURATION (CERTIFICATES - all other things stay the same) Now I have one more machine on the domain XXL which I defined as the certificate authority. Domain Controller XXL - NIC001: 192.168.1.1 (lan XXL) Active directory contains the user john.doe and his password The XXL CA is entered as Trusted Authority. VPN Server - NIC001: 192.168.1.10 (lan XXL) NIC002: 192.168.100.100 (vpn connection) with ms-chap v2 for windows authentication (no RADIUS) This machine has a machine certificate from the XXL CA following a mmc request. IPSec is enabled for the NIC002. The RAS authentication method is EAP only using certificates. Certificate Authority - NIC001: 192.168.1.50 (lan XXL) This CA is entered as trusted root authority in the active directory. VPN Client - NIC001: 192.168.100.200 (vpn connection) john.doe has a user certificate on the machine following an enrollment request using the XXL CA web interface. The machine itself also has a certificate and IPSec is enabled at basic level for the network card. The vpn connection uses EAP authentication with certificate - the certificate server is XXL CA When I click the connection I do not have to enter any username/password as I just get a reference to the certificate I want to use (john.doe, issued by XXL CA and expiration date next year). When the connection reaches the verifying usernmae and pasword I receive the error: 691 - Access was denied because the username and/or password was invalid on the domain. I believe it means that the DC is not contacted hence cannot chek the username/password. I do not understand why it worked in the previous configuration but not now. Any idea? Ps: I checked a lot and several times trivial elements as that the certificate for john.does was valid or that john.doe existed in the group allowed to remotely access the vpn server. --------------------------------- Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031119/5b5eda5d/attachment.htm From jimd at lmi.net Thu Nov 20 16:16:04 2003 From: jimd at lmi.net (Jim Dueltgen) Date: Thu, 20 Nov 2003 13:16:04 -0800 Subject: [VPN] Netscreen to Cisco client/server VPN? In-Reply-To: <20021204192653.C27311-100000@sisyphus.iocaine.com> References: <20021204192653.C27311-100000@sisyphus.iocaine.com> Message-ID: Hi folks, I'm currently slogging through the archives but I'm hoping someone has a quick answer for me. I've got a road warrior type user who needs to connect (not simultaneously) from a Win2K laptop to both a Cisco (3000 I believe) and NetScreen (5XP running the 4.x firmware) VPN server. He currently has the Cisco VPN client installed. Since the Cisco VPN Dialer and NetScreen Remote clients don't seem to play nicely with each other when they're both installed I'm wondering if anyone has had any success using either client (Cisco or NetScreen Remote) to connect to both server types and if so if you have a recipe or config examples to share. I see lots of interoperability testing for VPN server-to-server connections but I'm not finding any relevant information about client-to-server interoperability. Any help, including, "It can't be done, you bonehead," would be appreciated. Regards, Jim Dueltgen LMi.net From Andrew.Princee at TrinitySecurity.como Thu Nov 20 18:26:33 2003 From: Andrew.Princee at TrinitySecurity.como (Andrew Prince) Date: Thu, 20 Nov 2003 23:26:33 -0000 Subject: [VPN] Netscreen to Cisco client/server VPN? In-Reply-To: Message-ID: <000901c3afbd$bc7c7a60$0201a8c0@DEIMOS> Jim, As I have also experienced - you probably won't find a client that will work with other vendors, despite of the standards. I would think you are better off at this stage of creating a local IPSEC policy for the user - I tested this using L2TP. Then use this policy as a "generic, connect to all" HTH Andy. -----Original Message----- From: vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com [mailto:vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com] On Behalf Of Jim Dueltgen Sent: 20 November 2003 21:16 To: vpn at lists.shmoo.com Subject: [VPN] Netscreen to Cisco client/server VPN? Hi folks, I'm currently slogging through the archives but I'm hoping someone has a quick answer for me. I've got a road warrior type user who needs to connect (not simultaneously) from a Win2K laptop to both a Cisco (3000 I believe) and NetScreen (5XP running the 4.x firmware) VPN server. He currently has the Cisco VPN client installed. Since the Cisco VPN Dialer and NetScreen Remote clients don't seem to play nicely with each other when they're both installed I'm wondering if anyone has had any success using either client (Cisco or NetScreen Remote) to connect to both server types and if so if you have a recipe or config examples to share. I see lots of interoperability testing for VPN server-to-server connections but I'm not finding any relevant information about client-to-server interoperability. Any help, including, "It can't be done, you bonehead," would be appreciated. Regards, Jim Dueltgen LMi.net _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From perera.hasitha at meta.co.jp Thu Nov 20 22:07:47 2003 From: perera.hasitha at meta.co.jp (hasitha perera) Date: Fri, 21 Nov 2003 12:07:47 +0900 Subject: [VPN] VPN on RedHat Linax Message-ID: <20031121115918.6B52.PERERA.HASITHA@meta.co.jp> Hi I am going to built IPsec VPN server on REdHat Linux. I have to start from bargaining. Can u suggest good reference book for me. Hasitha -- hasitha perera From jef at linuxbe.org Fri Nov 21 02:36:15 2003 From: jef at linuxbe.org (Jean-Francois Dive) Date: Fri, 21 Nov 2003 08:36:15 +0100 Subject: [VPN] Netscreen to Cisco client/server VPN? In-Reply-To: References: <20021204192653.C27311-100000@sisyphus.iocaine.com> Message-ID: <20031121073615.GA1113@gardafou.assamite.eu.org> The vpn client world is very unfortunate when we talk about IPSec and inter vendor interoperability: the 2 main "standards" in use (mode config and xauth) suffers a lot of interop issues. Especially, every vendor have implemented those features as vendor specific, using private attributes or even working hard and on purpose to avoid interoperability (for exemple Nortel use an unknown hash algorithm in their password based authentication). When it comes down to try to get a mode config and xauth client to work with the major gateways, it turns pretty fast to nightmares. In your case, i would try to go with SSH sentinel as the vpn client and get certificate based authentication on both boxes. Both gateway will support the connection, however, xauth and modeconfig may or may not work. Both vendor vpn clients will only work against their vendor equipement. So, it can be done, but may be restricted road warrior features wise. Hope this help, J. On Thu, Nov 20, 2003 at 01:16:04PM -0800, Jim Dueltgen wrote: > Hi folks, > > I'm currently slogging through the archives but I'm hoping someone > has a quick answer for me. I've got a road warrior type user who > needs to connect (not simultaneously) from a Win2K laptop to both a > Cisco (3000 I believe) and NetScreen (5XP running the 4.x firmware) > VPN server. He currently has the Cisco VPN client installed. Since > the Cisco VPN Dialer and NetScreen Remote clients don't seem to play > nicely with each other when they're both installed I'm wondering if > anyone has had any success using either client (Cisco or NetScreen > Remote) to connect to both server types and if so if you have a > recipe or config examples to share. I see lots of interoperability > testing for VPN server-to-server connections but I'm not finding any > relevant information about client-to-server interoperability. Any > help, including, "It can't be done, you bonehead," would be > appreciated. > > Regards, > > Jim Dueltgen > LMi.net > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From Bob.Marvin at Maines.Net Fri Nov 21 15:28:58 2003 From: Bob.Marvin at Maines.Net (Bob Marvin) Date: Fri, 21 Nov 2003 15:28:58 -0500 Subject: [VPN] Browsing Issues Message-ID: <716FCC638B2AD411967500D0B74A039105387107@MPFS-CO03> I have a Cisco VPN 3000 Concentrator set up with version 4.0 client installed on company laptops. The VPN works as it should except on certain occasions where users are unable to view their Network drives and certain objects in Network Neighborhood. All users are running at least Windows 2000 Professional. Any suggestions as to what might be causing this issue? Thanks for any help in advance. __________________________ Robert J. Marvin Network Administrator Maines Paper & Food Service, Inc. ?______________________________________________________ This e-mail, including any attachments, may contain information that is protected by law as privileged and confidential, and is transmitted for the sole use of the intended recipient. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying or retention of this e-mail or the information contained herein is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by telephone or reply e-mail, and permanently delete this e-mail from your computer system. Thank you. From Gary.R.Smith at motorola.com Fri Nov 21 16:19:45 2003 From: Gary.R.Smith at motorola.com (Smith Gary-GSMITH1) Date: Fri, 21 Nov 2003 15:19:45 -0600 Subject: [VPN] VPN on RedHat Linax Message-ID: <0DFC73466514D41186B700508B95104106D645A2@tx14exm04.ftw.mot.com> Hi Hasitha, Check out "Building Linux Virtual Private Networks (VPNS)" by Oleg Kolesnikov and Brian Hatch. Highly Recommended. Cheers, Gary Smith GSEC, GCFW, GCIA -----Original Message----- From: vpn-bounces+gary.r.smith=motorola.com at lists.shmoo.com [mailto:vpn-bounces+gary.r.smith=motorola.com at lists.shmoo.com]On Behalf Of hasitha perera Sent: Thursday, November 20, 2003 9:08 PM To: vpn at lists.shmoo.com Cc: perera.hasitha at meta.co.jp Subject: [VPN] VPN on RedHat Linax Hi I am going to built IPsec VPN server on REdHat Linux. I have to start from bargaining. Can u suggest good reference book for me. -- hasitha perera _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From jef at linuxbe.org Sat Nov 22 02:29:29 2003 From: jef at linuxbe.org (Jean-Francois Dive) Date: Sat, 22 Nov 2003 08:29:29 +0100 Subject: [VPN] Browsing Issues In-Reply-To: <716FCC638B2AD411967500D0B74A039105387107@MPFS-CO03> References: <716FCC638B2AD411967500D0B74A039105387107@MPFS-CO03> Message-ID: <20031122072929.GA1702@gardafou.assamite.eu.org> This sounds clearly as a client or configuration issue, depending on how your windows networking is setup. Check that they have access to the WINS and use it if you're in a mix mode environement (NT networking), otherwise that they have access to the active direcotry. On Fri, Nov 21, 2003 at 03:28:58PM -0500, Bob Marvin wrote: > I have a Cisco VPN 3000 Concentrator set up with version 4.0 client > installed on company laptops. The VPN works as it should except on certain > occasions where users are unable to view their Network drives and certain > objects in Network Neighborhood. All users are running at least Windows 2000 > Professional. > > Any suggestions as to what might be causing this issue? Thanks for any help > in advance. > > __________________________ > Robert J. Marvin > Network Administrator > Maines Paper & Food Service, Inc. > > > ?______________________________________________________ > > > This e-mail, including any attachments, may contain information > that is protected by law as privileged and confidential, and is > transmitted for the sole use of the intended recipient. If you > are not the intended recipient, you are hereby notified that any > use, dissemination, copying or retention of this e-mail or the > information contained herein is strictly prohibited. If you have > received this e-mail in error, please immediately notify the sender > by telephone or reply e-mail, and permanently delete this e-mail > from your computer system. Thank you. > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde