From jef at linuxbe.org Wed Oct 1 06:35:24 2003 From: jef at linuxbe.org (Jean-Francois Dive) Date: Wed, 01 Oct 2003 12:35:24 +0200 Subject: [VPN] VPN Help In-Reply-To: References: Message-ID: <1065004524.2121.15.camel@gardafou> use the split tunneling option to only access your office network and not 0.0.0.0/0. J. On Tue, 2003-09-30 at 17:50, Anand Baghel wrote: > Hi, > > Please help me on solving this problem. Forgive me if this was discussed > before, but I do not see a way to search the archives. > > I am using VPN between two offices for transferring data. I have a single > machine that would need to be able to have multiple machines connected to > it. > > I have Office1 and Office2. I have VPN server in Office1 and VPN client at > Office2 on Machine1. Office 2 has other machines on LAN. Lets say Machine2 , > Machine3, Machine4, Machine5....... > > Office1 Office2 > PC-1------------|-------Machine1 > |-------Machine2 > |-------Machine3 > > > Here is the problem, when Machine1 is connected to the VPN server at > Office1, it disconnects itself with other machines i.e. Machine1 looses > connection with Machine2, Machine3......... > > I am using CISCO PIX server / firewall at Office1 and VPN CISCO PIX Client > at Office2. Office 2 does not have any firewall. > Operation System Windows 2000. > > Please tell me what configuration I should make so that it does not happen. > > Anand S. Baghel > > _________________________________________________________________ > Add MSN 8 Internet Software to your existing Internet access and enjoy > patented spam protection and more. Sign up now! > http://join.msn.com/?page=dept/byoa > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From john.galeotos at us.army.mil Wed Oct 1 10:26:35 2003 From: john.galeotos at us.army.mil (Galeotos, John) Date: Wed, 1 Oct 2003 08:26:35 -0600 Subject: [VPN] VPN and broadband. Message-ID: Hello, Mostly I just read the list and try to digest the information, but currently I've run into a situation where I could use some help. We have one user that has never been able to access the VPN using his Bresnan broadband account. I have several users that utilize the same service and have never run into any problems. I suspect it is something physical at his home, whether it is cabling or something similar. This is coming from a stance of very limited knowledge about his set up. We did look at the laptop and we were able to get VPN'd in using dial up ISP. We are using Cisco client on XP laptops and this is the only PC that has had any problems. Possibly a network config problem? Any idea where I should go next? Just troubleshooting here so any ideas would be appreciated. Thanks in advance. John E. Galeotos From reward at myrealbox.com Wed Oct 1 19:31:43 2003 From: reward at myrealbox.com (Nick) Date: Wed, 01 Oct 2003 23:31:43 -0000 Subject: [VPN] VPN Help! In-Reply-To: <20031001180016.6F5C214ABF@mail.iocaine.com> References: <20031001180016.6F5C214ABF@mail.iocaine.com> Message-ID: <1065051243.2984.44.camel@ambercode.co.uk> Andy, I believe you are UK based, if so, then try http://www.adslguide.org.uk/ for more information. If the connection is a standard 'basic' business ADSL package, then you will have a 256Kbps upload, with a 20:1 contention ratio i.e. sharing the 256Kbps with up to 19 other users. This is also rate adaptive, the upload speed will vary with line length / quality between 100Kbps and 256Kbps. The expected increase in speed may not materialise. There are various options; upgrade data rate / reduce contention ratio, or if you are in London then look at SDSL. Regards, Nick > -----Original Message----- > From: Andrew Burnett [mailto:ABurnett at saneline.org] > Sent: Monday, September 29, 2003 4:22 AM > To: vpn at lists.shmoo.com > Subject: [VPN] VPN Help! > > > Hi > > I am working for the Mental Health charity SANE, helping out on their IT > side. My experience is as a Business Analyst/Project Manager in > Application Development not Networking. > > However, they have very little IT knowledge and it has fallen to me to > investigate their network setup and its performance. I wonder if you can > help me - or point me in a better direction... > > We have recently changed to an ASDL connection from ISDN. We have 3 > sites linked via a VPN and have not noticed an improvement in > performance since this changed. We expected that there would be an > improvement but have been told that the speed was not expected to have > been improved by this change. Having read a bit of the "Weakest Link" > link on your website, I would think that ASDL would speed things up - Is > this correct? > > Regards > > Andy Burnett > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn From alberto at combat.com.br Thu Oct 2 07:58:07 2003 From: alberto at combat.com.br (Alberto Fabiano) Date: Thu, 2 Oct 2003 08:58:07 -0300 Subject: RES: [VPN] FreeSWAN CA 2.02 x PIX - Trouble in phase 2 In-Reply-To: <1064919730.725.26.camel@gardafou> Message-ID: Hi Jean-Francois, I already made some experiences, but now I verified that the trouble there is in the following point: - ignoring informational payload, type NO_PROPOSAL_CHOSEN - max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal I found several references on this message (some 18 in Google) but up to now I didn't get to identify indeed what is, maybe for my poor experience with FreeSWAN. Thankful to all for the helps, but I still seek a light! :-) Att. []?s++ ./alberto -fabiano > -----Mensagem original----- > De: Jean-Francois Dive [mailto:jef at linuxbe.org] > Enviada em: ter?a-feira, 30 de setembro de 2003 08:02 > Para: Alberto Fabiano > Cc: Vpn > Assunto: Re: [VPN] FreeSWAN CA 2.02 x PIX - Trouble in phase 2 > > > you dont see the answer from the PIX, sounds like the problem is in the > PIX or freeswan side p2 parameter negociation. I would have expected the > PIX to send back an informational message. Send us the PIX log's / > config related to IPSec. Check that the selector (proxy identities in > cisco terms) do match properly. > > JeF > > On Sun, 2003-09-28 at 01:22, Alberto Fabiano wrote: > > Mrs, > > > > After an exhausting research for Google and reading of > several materials, > > the conclusion that I am needing help urgently arrive! : -) > > > > I have a FreeSWan CA 2.02 and am trying to stablish a > tunnel with a PIX > > through 3DES, MD5, IKE dh 2, using PSK the some days and am not > I obtaining > > success in the phase 2 of IPSec, will it be that anybody could > feel a help? > > > > In an initial moment, I got to close VPN (phase 1 and 2) > and I made some > > tests without a lot of headaches, but now, I don't know because am not > > getting more to close. > > > > It follows the parts of my ipsec.conf below, whack status > and related to > > this tunnel. > > > > > > # cat /var/chroot-ipsec/etc/ipsec.conf > > > > # > > # Default Configuration File for FreeS/WAN IPSEC > > # > > > > config setup > > interfaces="ipsec0=eth0" > > klipsdebug=none > > plutodebug=all > > dumpdir= > > manualstart= > > fragicmp=no > > packetdefault=drop > > hidetos=yes > > uniqueids=yes > > overridemtu=16260 > > nocrsend=yes > > nat_traversal=yes > > keep_alive=60 > > > > conn %default > > rekeymargin=9m > > rekeyfuzz=100% > > keyingtries=0 > > > > conn VPN_5 > > type=tunnel > > keyexchange=ike > > pfsgroup=modp1024 > > pfs=yes > > auto=start > > authby=secret > > ike=3des-md5-modp1024 > > esp=3des-md5-96 > > keylife=28800 > > ikelifetime=2880 > > compress=no > > left=192.168.1.22 > > leftsubnet=192.168.1.5/255.255.255.255 > > leftnexthop=10.10.1.119 > > right=10.10.18.143 > > rightsubnet=10.10.18.146/255.255.255.255 > > rightnexthop=10.10.38.10 > > leftupdown="/opt/_updown 2>/tmp/log 1>/tmp/log" > > rightupdown="/opt/_updown 2>/tmp/log 1>/tmp/log" > > leftid=192.168.1.22 > > rightid=10.10.18.143 > > > > > > # chroot /var/chroot-ipsec/ /usr/local/lib/ipsec/whack --status > > > > 000 interface ipsec0/eth0 192.168.1.22 > > 000 interface ipsec0/eth0 192.168.1.22 > > 000 > > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, > keysizemin=168, > > keysizemax=168 > > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, > > keysizemin=128,keysizemax=128 > > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, > > keysizemin=160, keysizemax=160 > > 000 > > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 > > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 > > 000 > > 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,6,36} > > trans={0,6,96} attrs={0,6,160} > > 000 > > > > 000 "VPN_5": > > > 192.168.1.5/32===192.168.1.22---10.10.1.119...10.10.38.10---10.10. > 18.143===1 > > 0.10.18.146/32 > > 000 "VPN_5": ike_life: 2880s; ipsec_life: 28800s; rekey_margin: 540s; > > rekey_fuzz: 100%; keyingtries: 0 > > 000 "VPN_5": policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth0; > trap erouted > > 000 "VPN_5": newest ISAKMP SA: #1; newest IPsec SA: #0; > eroute owner: #0 > > 000 "VPN_5": IKE algorithms wanted: 5_000-1-2, flags=-strict > > 000 "VPN_5": IKE algorithms found: 5_192-1_128-2, > > 000 "VPN_5": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024 > > 000 "VPN_5": ESP algorithms wanted: 3_000-1, ; pfsgroup=2; > flags=strict > > 000 "VPN_5": ESP algorithms loaded: 3_168-1_128, > > 000 > > 000 #6: "VPN_5" STATE_QUICK_I1 (sent QI1, expecting QR1); > EVENT_RETRANSMIT > > in 4s > > 000 #1: "VPN_5" STATE_MAIN_I4 (ISAKMP SA established); > EVENT_SA_REPLACE in > > 1673s; newest ISAKMP > > 000 > > > > > > Awaiting help for my problem... > > > > Thanks for all!!! > > - Kind Regards. > > > > > > > > Alberto Fabiano Caires de Medeiros > > > -------------------------------------------------------------------------- > > e-mail: alberto at combat.com.br > > > -------------------------------------------------------------------------- > > > > > > -----BEGIN PGP PUBLIC KEY BLOCK----- > > > > mQGiBD9spjwRBACQ2aQEqcQyGxaoNX4Zvk/9v6fCxyPWAcBQSSiPjJyi3cXa9kLB > > XsQjdgBY90x45wFwI0QwneWFCP364YZXdo7ZRPiLjI+qV6expjCIIm/LXi1LphwK > > 6l87HYbm74a2T6mdxRmxhCrgsA+ezSCEkMA9YolPw2r+ufvp59IrrYHrcwCg5aTW > > LbsbVQ2i+beAfpFPw8muW1kEAINssb8RXbilwIL6k7ZPbHQghkTIM7iIK5eGwMOx > > lYtmzoA2tCzJla0tp9G1ls2hW12d6io80P5jbYpx+17nhPV49oVA6yKGJNCaTAzi > > uyRxUYOYhSyS8PXxOPp600NGJ8qiX53JEPKPLxoiF/HG6EWihEIDFqvI11mIEcfi > > WFTDA/0SKjjkKt+S1fk42AbnE39pz1Kn6av2hYz00DX4XensZcnmmcbA1eO0a+TP > > foTl0x2ipHN7eymcVudDVU6fbQu18SJa+rSutW3GBmreRDi0NQ4vilCAVueyQpVP > > WS/jnOcw+uQp2PRkY8ylKxIOcgQZqy56jCEcbFH/eTxTfqA6c7REQWxiZXJ0byBG > > YWJpYW5vIENhaXJlcyBkZSBNZWRlaXJvcyAoazRsMXBzMCkgPGFsYmVydG9AY29t > > YmF0LmNvbS5icj6IWwQTEQIAGwUCP2ymPAYLCQgHAwIDFQIDAxYCAQIeAQIXgAAK > > CRDlbFd4k92tdCi4AJ9EyxOlZMrAdINGlB6GBs9/jG3omwCfdLbqML4sXLCMoXU/ > > dJNLLC+lBSK5AQ0EP2ymQBAEAL5xjfRLFgxBVEiBK3Kr+1y75euY5nKC8H0CJy93 > > w0YTB2E3DMVNFBX6woj7jnoW5+F+/a0+iVfOgkHWeGbvE7ZghCphrb4AOa2j3DHA > > eP2GNQarNEqP1v3RYa8e7WNEUx/RVnhxeW7XMsX7ylGx9e8QTTwAEFFc3gUoiYTn > > 2ljrAAMFA/4gDsxYp68UWniwzSCFgq16a6ATscTF45aPq0ROkUepWIMKY2/X/FQc > > e4FMSzRWC38fKILrkxhoaWIx1r2MFUiQtk3ItdXSDh5u2D/U+nHQqhYcgqjTzsfK > > 659HXw5GzmzbpueKymD6wsU1uYf9sq7dYxqQBJMleNB6vZi+ODZmRYhGBBgRAgAG > > BQI/bKZAAAoJEOVsV3iT3a1098cAn0BnS7NFu98qLc7XQL//rBh94EqzAJ9KGwCF > > K15S/3LqsNGqQEMRdzdQaw== > > =R5pw > > -----END PGP PUBLIC KEY BLOCK----- > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.521 / Virus Database: 319 - Release Date: 23/9/2003 > > > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn > -- > > -> Jean-Francois Dive > --> jef at linuxbe.org > > I think that God in creating Man somewhat overestimated his ability. > -- Oscar Wilde > > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.522 / Virus Database: 320 - Release Date: 29/9/2003 > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.522 / Virus Database: 320 - Release Date: 29/9/2003 From jef at linuxbe.org Thu Oct 2 09:44:08 2003 From: jef at linuxbe.org (Jean-Francois Dive) Date: Thu, 02 Oct 2003 15:44:08 +0200 Subject: RES: [VPN] FreeSWAN CA 2.02 x PIX - Trouble in phase 2 In-Reply-To: References: Message-ID: <1065102247.1441.24.camel@gardafou> well yes, so you need to set both side to appropriate settings. Check algorithms, protocols and selectors, they must match exactly (well lets say exactly) to get the negociation to suceed. The debugs on the PIX should show you the proposals. Again, if you want you should send your PIX ipsec config and freeswan ipsec.conf file and one should be able to see what's not correctly configured. J. On Thu, 2003-10-02 at 13:58, Alberto Fabiano wrote: > Hi Jean-Francois, > > I already made some experiences, but now I verified that the trouble there > is in the following point: > > - ignoring informational payload, type NO_PROPOSAL_CHOSEN > > - max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable > response to our first Quick Mode message: perhaps peer likes no proposal > > I found several references on this message (some 18 in Google) but up > to now I didn't get to identify indeed what is, maybe for my poor experience > with FreeSWAN. > > Thankful to all for the helps, but I still seek a light! :-) > > > Att. > []??s++ > > ./alberto -fabiano > > > > > > -----Mensagem original----- > > De: Jean-Francois Dive [mailto:jef at linuxbe.org] > > Enviada em: ter??a-feira, 30 de setembro de 2003 08:02 > > Para: Alberto Fabiano > > Cc: Vpn > > Assunto: Re: [VPN] FreeSWAN CA 2.02 x PIX - Trouble in phase 2 > > > > > > you dont see the answer from the PIX, sounds like the problem is in the > > PIX or freeswan side p2 parameter negociation. I would have expected the > > PIX to send back an informational message. Send us the PIX log's / > > config related to IPSec. Check that the selector (proxy identities in > > cisco terms) do match properly. > > > > JeF > > > > On Sun, 2003-09-28 at 01:22, Alberto Fabiano wrote: > > > Mrs, > > > > > > After an exhausting research for Google and reading of > > several materials, > > > the conclusion that I am needing help urgently arrive! : -) > > > > > > I have a FreeSWan CA 2.02 and am trying to stablish a > > tunnel with a PIX > > > through 3DES, MD5, IKE dh 2, using PSK the some days and am not > > I obtaining > > > success in the phase 2 of IPSec, will it be that anybody could > > feel a help? > > > > > > In an initial moment, I got to close VPN (phase 1 and 2) > > and I made some > > > tests without a lot of headaches, but now, I don't know because am not > > > getting more to close. > > > > > > It follows the parts of my ipsec.conf below, whack status > > and related to > > > this tunnel. > > > > > > > > > # cat /var/chroot-ipsec/etc/ipsec.conf > > > > > > # > > > # Default Configuration File for FreeS/WAN IPSEC > > > # > > > > > > config setup > > > interfaces="ipsec0=eth0" > > > klipsdebug=none > > > plutodebug=all > > > dumpdir= > > > manualstart= > > > fragicmp=no > > > packetdefault=drop > > > hidetos=yes > > > uniqueids=yes > > > overridemtu=16260 > > > nocrsend=yes > > > nat_traversal=yes > > > keep_alive=60 > > > > > > conn %default > > > rekeymargin=9m > > > rekeyfuzz=100% > > > keyingtries=0 > > > > > > conn VPN_5 > > > type=tunnel > > > keyexchange=ike > > > pfsgroup=modp1024 > > > pfs=yes > > > auto=start > > > authby=secret > > > ike=3des-md5-modp1024 > > > esp=3des-md5-96 > > > keylife=28800 > > > ikelifetime=2880 > > > compress=no > > > left=192.168.1.22 > > > leftsubnet=192.168.1.5/255.255.255.255 > > > leftnexthop=10.10.1.119 > > > right=10.10.18.143 > > > rightsubnet=10.10.18.146/255.255.255.255 > > > rightnexthop=10.10.38.10 > > > leftupdown="/opt/_updown 2>/tmp/log 1>/tmp/log" > > > rightupdown="/opt/_updown 2>/tmp/log 1>/tmp/log" > > > leftid=192.168.1.22 > > > rightid=10.10.18.143 > > > > > > > > > # chroot /var/chroot-ipsec/ /usr/local/lib/ipsec/whack --status > > > > > > 000 interface ipsec0/eth0 192.168.1.22 > > > 000 interface ipsec0/eth0 192.168.1.22 > > > 000 > > > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, > > keysizemin=168, > > > keysizemax=168 > > > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, > > > keysizemin=128,keysizemax=128 > > > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, > > > keysizemin=160, keysizemax=160 > > > 000 > > > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 > > > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 > > > 000 > > > 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,6,36} > > > trans={0,6,96} attrs={0,6,160} > > > 000 > > > > > > 000 "VPN_5": > > > > > 192.168.1.5/32===192.168.1.22---10.10.1.119...10.10.38.10---10.10. > > 18.143===1 > > > 0.10.18.146/32 > > > 000 "VPN_5": ike_life: 2880s; ipsec_life: 28800s; rekey_margin: 540s; > > > rekey_fuzz: 100%; keyingtries: 0 > > > 000 "VPN_5": policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth0; > > trap erouted > > > 000 "VPN_5": newest ISAKMP SA: #1; newest IPsec SA: #0; > > eroute owner: #0 > > > 000 "VPN_5": IKE algorithms wanted: 5_000-1-2, flags=-strict > > > 000 "VPN_5": IKE algorithms found: 5_192-1_128-2, > > > 000 "VPN_5": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024 > > > 000 "VPN_5": ESP algorithms wanted: 3_000-1, ; pfsgroup=2; > > flags=strict > > > 000 "VPN_5": ESP algorithms loaded: 3_168-1_128, > > > 000 > > > 000 #6: "VPN_5" STATE_QUICK_I1 (sent QI1, expecting QR1); > > EVENT_RETRANSMIT > > > in 4s > > > 000 #1: "VPN_5" STATE_MAIN_I4 (ISAKMP SA established); > > EVENT_SA_REPLACE in > > > 1673s; newest ISAKMP > > > 000 > > > > > > > > > Awaiting help for my problem... > > > > > > Thanks for all!!! > > > - Kind Regards. > > > > > > > > > > > > Alberto Fabiano Caires de Medeiros > > > > > -------------------------------------------------------------------------- > > > e-mail: alberto at combat.com.br > > > > > -------------------------------------------------------------------------- > > > > > > > > > -----BEGIN PGP PUBLIC KEY BLOCK----- > > > > > > mQGiBD9spjwRBACQ2aQEqcQyGxaoNX4Zvk/9v6fCxyPWAcBQSSiPjJyi3cXa9kLB > > > XsQjdgBY90x45wFwI0QwneWFCP364YZXdo7ZRPiLjI+qV6expjCIIm/LXi1LphwK > > > 6l87HYbm74a2T6mdxRmxhCrgsA+ezSCEkMA9YolPw2r+ufvp59IrrYHrcwCg5aTW > > > LbsbVQ2i+beAfpFPw8muW1kEAINssb8RXbilwIL6k7ZPbHQghkTIM7iIK5eGwMOx > > > lYtmzoA2tCzJla0tp9G1ls2hW12d6io80P5jbYpx+17nhPV49oVA6yKGJNCaTAzi > > > uyRxUYOYhSyS8PXxOPp600NGJ8qiX53JEPKPLxoiF/HG6EWihEIDFqvI11mIEcfi > > > WFTDA/0SKjjkKt+S1fk42AbnE39pz1Kn6av2hYz00DX4XensZcnmmcbA1eO0a+TP > > > foTl0x2ipHN7eymcVudDVU6fbQu18SJa+rSutW3GBmreRDi0NQ4vilCAVueyQpVP > > > WS/jnOcw+uQp2PRkY8ylKxIOcgQZqy56jCEcbFH/eTxTfqA6c7REQWxiZXJ0byBG > > > YWJpYW5vIENhaXJlcyBkZSBNZWRlaXJvcyAoazRsMXBzMCkgPGFsYmVydG9AY29t > > > YmF0LmNvbS5icj6IWwQTEQIAGwUCP2ymPAYLCQgHAwIDFQIDAxYCAQIeAQIXgAAK > > > CRDlbFd4k92tdCi4AJ9EyxOlZMrAdINGlB6GBs9/jG3omwCfdLbqML4sXLCMoXU/ > > > dJNLLC+lBSK5AQ0EP2ymQBAEAL5xjfRLFgxBVEiBK3Kr+1y75euY5nKC8H0CJy93 > > > w0YTB2E3DMVNFBX6woj7jnoW5+F+/a0+iVfOgkHWeGbvE7ZghCphrb4AOa2j3DHA > > > eP2GNQarNEqP1v3RYa8e7WNEUx/RVnhxeW7XMsX7ylGx9e8QTTwAEFFc3gUoiYTn > > > 2ljrAAMFA/4gDsxYp68UWniwzSCFgq16a6ATscTF45aPq0ROkUepWIMKY2/X/FQc > > > e4FMSzRWC38fKILrkxhoaWIx1r2MFUiQtk3ItdXSDh5u2D/U+nHQqhYcgqjTzsfK > > > 659HXw5GzmzbpueKymD6wsU1uYf9sq7dYxqQBJMleNB6vZi+ODZmRYhGBBgRAgAG > > > BQI/bKZAAAoJEOVsV3iT3a1098cAn0BnS7NFu98qLc7XQL//rBh94EqzAJ9KGwCF > > > K15S/3LqsNGqQEMRdzdQaw== > > > =R5pw > > > -----END PGP PUBLIC KEY BLOCK----- > > > > > > --- > > > Outgoing mail is certified Virus Free. > > > Checked by AVG anti-virus system (http://www.grisoft.com). > > > Version: 6.0.521 / Virus Database: 319 - Release Date: 23/9/2003 > > > > > > _______________________________________________ > > > VPN mailing list > > > VPN at lists.shmoo.com > > > http://lists.shmoo.com/mailman/listinfo/vpn > > -- > > > > -> Jean-Francois Dive > > --> jef at linuxbe.org > > > > I think that God in creating Man somewhat overestimated his ability. > > -- Oscar Wilde > > > > > > --- > > Incoming mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.522 / Virus Database: 320 - Release Date: 29/9/2003 > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.522 / Virus Database: 320 - Release Date: 29/9/2003 -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From adam at 68e.com Thu Oct 2 09:54:03 2003 From: adam at 68e.com (Adam Mazza) Date: Thu, 2 Oct 2003 09:54:03 -0400 (EDT) Subject: [VPN] VPN and broadband. In-Reply-To: References: Message-ID: Does he have any kind of broadband router? I know certain routers either need a firmware upgrade, or don't handle the ipsec traffic well at all. On a Linksys AP/Router before the firmware was upgraded I would see the cisco client connect, but then no traffic would get passed at all. Regards, Adam Mazza On Wed, 1 Oct 2003, Galeotos, John wrote: > > Hello, > > Mostly I just read the list and try to digest the information, but > currently I've > run into a situation where I could use some help. We have one user > that has > never been able to access the VPN using his Bresnan broadband > account. > I have several users that utilize the same service and have never > run into any > problems. I suspect it is something physical at his home, whether it > is cabling > or something similar. This is coming from a stance of very limited > knowledge > about his set up. We did look at the laptop and we were able to get > VPN'd in > using dial up ISP. We are using Cisco client on XP laptops and this > is the > only PC that has had any problems. Possibly a network config > problem? Any > idea where I should go next? Just troubleshooting here so any ideas > would > be appreciated. Thanks in advance. > > John E. Galeotos > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > Adam Mazza PGP Key:http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x382775D1 Key fingerprint = 5A82 FA7F 459C E805 6C00 3211 48AC 6069 3827 75D1 From jserocki at earthlink.net Thu Oct 2 10:33:18 2003 From: jserocki at earthlink.net (Joe S) Date: Thu, 2 Oct 2003 09:33:18 -0500 (GMT-05:00) Subject: [VPN] VPN and broadband. Message-ID: <8244418.1065105199388.JavaMail.root@waldorf.psp.pas.earthlink.net> My best guess is this: many companies are now filtering out IPSEC ports 50, 51 and 500 to keep VPN off their networks, unless you pay a premium. Comcast is one of the culprits, which has a major impact to many customers. Standard cable internet service is $30 a month, their pro service which does nothing more but pass these ports and allow you to host if you are so inclined. The moral to this story, if there is one, is that connection services are no longer going to offer the free ride that the 'Net is famous for. Time to change the business model, again. -----Original Message----- From: "Galeotos, John" Sent: Oct 1, 2003 9:26 AM To: vpn at lists.shmoo.com Subject: [VPN] VPN and broadband. Hello, Mostly I just read the list and try to digest the information, but currently I've run into a situation where I could use some help. We have one user that has never been able to access the VPN using his Bresnan broadband account. I have several users that utilize the same service and have never run into any problems. I suspect it is something physical at his home, whether it is cabling or something similar. This is coming from a stance of very limited knowledge about his set up. We did look at the laptop and we were able to get VPN'd in using dial up ISP. We are using Cisco client on XP laptops and this is the only PC that has had any problems. Possibly a network config problem? Any idea where I should go next? Just troubleshooting here so any ideas would be appreciated. Thanks in advance. John E. Galeotos _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From losttoy2000 at yahoo.co.uk Thu Oct 2 10:54:02 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Thu, 2 Oct 2003 15:54:02 +0100 (BST) Subject: [VPN] VPN and broadband. In-Reply-To: Message-ID: <20031002145402.61682.qmail@web86304.mail.ukl.yahoo.com> I believe the Cisco VPN client has a logging option. Turn it on and see what it says. Apart from that DSL connections have a problem with MTU size on PPPoE. See this http://www.dslreports.com/faq/695 --- "Galeotos, John" wrote: > > Hello, > > Mostly I just read the list and try to digest the > information, but > currently I've > run into a situation where I could use some help. > We have one user > that has > never been able to access the VPN using his Bresnan > broadband > account. > I have several users that utilize the same service > and have never > run into any > problems. I suspect it is something physical at his > home, whether it > is cabling > or something similar. This is coming from a stance > of very limited > knowledge > about his set up. We did look at the laptop and we > were able to get > VPN'd in > using dial up ISP. We are using Cisco client on XP > laptops and this > is the > only PC that has had any problems. Possibly a > network config > problem? Any > idea where I should go next? Just troubleshooting > here so any ideas > would > be appreciated. Thanks in advance. > > John E. Galeotos > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk From losttoy2000 at yahoo.co.uk Thu Oct 2 10:59:42 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Thu, 2 Oct 2003 15:59:42 +0100 (BST) Subject: [VPN] VPN PIX-FreeSwan established but no connection In-Reply-To: Message-ID: <20031002145942.45913.qmail@web86308.mail.ukl.yahoo.com> On the PIX, do "debug crypto ipsec" and see the output. How do you know the IPSec tunnel is established? --- jmondaca at entelsa.entelnet.bo wrote: > > > > > Looking the IPSEC and ISAKMP debugs at the PIX, the > VPN between this boxes > are already established but when someone behind the > FreeSwan network tries > to connect to the inside PIX network there are no > results (no pings, no > telnets). > > If someone have any idea what could it be please. > > > Jorge Mondaca > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk From byazji at psualum.com Thu Oct 2 20:00:53 2003 From: byazji at psualum.com (Bill Yazji) Date: Thu, 2 Oct 2003 19:00:53 -0500 Subject: [VPN] VPN and broadband. In-Reply-To: <8244418.1065105199388.JavaMail.root@waldorf.psp.pas.earthlink.net> Message-ID: I don't think that's 100% true yet.. Comcast WAS talking about it - but I don't believe anyone has done the deed yet. The best pay around any ISP lock, UDP encapsulate your VPN :) they won't know that your UDP port 40xxx is carrying IPSec :) -----Original Message----- From: vpn-bounces+byazji=psualum.com at lists.shmoo.com [mailto:vpn-bounces+byazji=psualum.com at lists.shmoo.com]On Behalf Of Joe S Sent: Thursday, October 02, 2003 9:33 AM To: Galeotos,John; vpn at lists.shmoo.com Subject: Re: [VPN] VPN and broadband. My best guess is this: many companies are now filtering out IPSEC ports 50, 51 and 500 to keep VPN off their networks, unless you pay a premium. Comcast is one of the culprits, which has a major impact to many customers. Standard cable internet service is $30 a month, their pro service which does nothing more but pass these ports and allow you to host if you are so inclined. The moral to this story, if there is one, is that connection services are no longer going to offer the free ride that the 'Net is famous for. Time to change the business model, again. -----Original Message----- From: "Galeotos, John" Sent: Oct 1, 2003 9:26 AM To: vpn at lists.shmoo.com Subject: [VPN] VPN and broadband. Hello, Mostly I just read the list and try to digest the information, but currently I've run into a situation where I could use some help. We have one user that has never been able to access the VPN using his Bresnan broadband account. I have several users that utilize the same service and have never run into any problems. I suspect it is something physical at his home, whether it is cabling or something similar. This is coming from a stance of very limited knowledge about his set up. We did look at the laptop and we were able to get VPN'd in using dial up ISP. We are using Cisco client on XP laptops and this is the only PC that has had any problems. Possibly a network config problem? Any idea where I should go next? Just troubleshooting here so any ideas would be appreciated. Thanks in advance. John E. Galeotos _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From hakan.palm at generic.se Fri Oct 3 02:24:32 2003 From: hakan.palm at generic.se (hakan.palm at generic.se) Date: Fri, 3 Oct 2003 8:24:32 +0200 Subject: Ang: [VPN] VPN and broadband. Message-ID: John, what do you have at the main site? A VPN 3000 Concentrator, a PIX or a Cisco router ? I'll assume that you terminate the VPNs in a VPN 3000 Concentrator. What does the logging on the client side say and what does the logging in the Concentrator say, does it see any connection attempts from the client or? Does the user have a firewall, broadband router or something like that that will not allow the traffic to go trough? Do you use or allow UDP-encapsulation? If you allow it but it is not enabled in the default configuration, try to have the user enable it. If the user can connect properly but not pass traffic then it probably is a NAT problem. Try using UDP encapsulation. Regards, /Palm john.galeotos at us.army.mil 2003-10-02 15:38 Till: vpn at lists.shmoo.com @ INTERNET Kopia: (Blank: Hakan Palm/Generic) ?rende: [VPN] VPN and broadband. Hello, Mostly I just read the list and try to digest the information, but currently I've run into a situation where I could use some help. We have one user that has never been able to access the VPN using his Bresnan broadband account. I have several users that utilize the same service and have never run into any problems. I suspect it is something physical at his home, whether it is cabling or something similar. This is coming from a stance of very limited knowledge about his set up. We did look at the laptop and we were able to get VPN'd in using dial up ISP. We are using Cisco client on XP laptops and this is the only PC that has had any problems. Possibly a network config problem? Any idea where I should go next? Just troubleshooting here so any ideas would be appreciated. Thanks in advance. John E. Galeotos _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From waltr at umich.edu Fri Oct 3 07:11:15 2003 From: waltr at umich.edu (Walt Reynolds) Date: Fri, 3 Oct 2003 07:11:15 -0400 (EDT) Subject: [VPN] VPN and broadband. In-Reply-To: <8244418.1065105199388.JavaMail.root@waldorf.psp.pas.earthlink.net> References: <8244418.1065105199388.JavaMail.root@waldorf.psp.pas.earthlink.net> Message-ID: There are rumors of this filtering, but no realities to it as far as I can tell. I can tell you specifically that comcast is NOT filtering those ports at this time. On Thu, 2 Oct 2003, Joe S wrote: > My best guess is this: many companies are now filtering out IPSEC ports 50, 51 and 500 to keep VPN off their networks, unless you pay a premium. Comcast is one of the culprits, which has a major impact to many customers. Standard cable internet service is $30 a month, their pro service which does nothing more but pass these ports and allow you to host if you are so inclined. > > The moral to this story, if there is one, is that connection services are no longer going to offer the free ride that the 'Net is famous for. Time to change the business model, again. > > -----Original Message----- > From: "Galeotos, John" > Sent: Oct 1, 2003 9:26 AM > To: vpn at lists.shmoo.com > Subject: [VPN] VPN and broadband. > > > Hello, > > Mostly I just read the list and try to digest the information, but > currently I've > run into a situation where I could use some help. We have one user > that has > never been able to access the VPN using his Bresnan broadband > account. > I have several users that utilize the same service and have never > run into any > problems. I suspect it is something physical at his home, whether it > is cabling > or something similar. This is coming from a stance of very limited > knowledge > about his set up. We did look at the laptop and we were able to get > VPN'd in > using dial up ISP. We are using Cisco client on XP laptops and this > is the > only PC that has had any problems. Possibly a network config > problem? Any > idea where I should go next? Just troubleshooting here so any ideas > would > be appreciated. Thanks in advance. > > John E. Galeotos > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > -- Walt Reynolds University of Michigan From john.galeotos at us.army.mil Fri Oct 3 14:56:07 2003 From: john.galeotos at us.army.mil (Galeotos, John) Date: Fri, 3 Oct 2003 12:56:07 -0600 Subject: [VPN] VPN and broadband. Message-ID: Thanks to all of you. We have it working now. Can I tell you what the fix was? Err...no It is my thought, though I could be wrong, that this was a PEBCAM The Problem seemed to Exist Between the Chair And Monitor. We took the machine over to the users house plugged it in and it worked. I have kept all the responses on this however and will keep these suggestions in mind if we run into the issue again, or if we run into a filtering issue. The UDP-encap solution may be particularly useful in the future. I'll go back to quietly watching the list again as I am learning allot from all of you. Thanks again. From lennonjs at uol.com.br Mon Oct 6 09:36:55 2003 From: lennonjs at uol.com.br (lennonjs) Date: Mon, 6 Oct 2003 10:36:55 -0300 Subject: [VPN] Help - Problem VPN Cisco Pix 515E Message-ID: Dear friends, I have a problem, I am trying to establish a tunnel with other company that possesses a firewall same to mine - Cisco Pix 515, but I don't get, the presented message is the following: crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 3011867608 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-MD5 ISAKMP: group is 2 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS** crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: x.x.x.2, dest x.x.x.131 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 VPN Peer: ISAKMP: Peer ip:200.182.223.2 Ref cnt incremented to:2 Total VPN Peers :2 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 7200 ISAKMP (0): atts are acceptable. Next payload is 3 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): processing vendor id payload ISAKMP (0): speaking to another IOS box! return status is IKMP_NO_ERROR crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 1458594770 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-MD5 ISAKMP: group is 2 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0): processing DELETE payload. message ID = 3302399666 ISAKMP (0): deleting SA: src x.x.x.2, dst x.x.x.131 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0): processing NOTIFY payload 24578 protocol 1 spi 0, message ID = 1981775628 ISAKMP (0): processing notify INITIAL_CONTACT return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0x8161af60, conn_id = 0 ISADB: reaper checking SA 0x81530c78, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip:x.x.x.2 Ref cnt decremented to:1 Total VPN Peers :2 ISADB: reaper checking SA 0x8161af60, conn_id = 0 ISADB: reaper checking SA 0x81617f48, conn_id = 0 crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 933563993 Please, does anybody know him what this can be? Thanks Lennon --- Acabe com aquelas janelinhas que pulam na sua tela. AntiPop-up UOL - ? gr?tis! http://antipopup.uol.com.br From Meenoo.Shivdasani at venterscience.org Mon Oct 6 23:43:59 2003 From: Meenoo.Shivdasani at venterscience.org (Shivdasani, Meenoo) Date: Mon, 6 Oct 2003 23:43:59 -0400 Subject: [VPN] IPSEC over UDP or TCP Message-ID: I'm interested in people's experiences with implementing IPSEC over UDP or TCP. Benefits? Disadvantages? Thanks in advance, M From jef at linuxbe.org Tue Oct 7 05:51:27 2003 From: jef at linuxbe.org (Jean-Francois Dive) Date: Tue, 07 Oct 2003 11:51:27 +0200 Subject: [VPN] Help - Problem VPN Cisco Pix 515E In-Reply-To: References: Message-ID: <1065520287.2645.12.camel@gardafou> same thing as previously mentioned on this list and an ipsec classic: attributes are not the same for your quick mode. Check your crypto map transform-set definition for the appropriate value (values to check are liftime,lifetype, alogos' (crypt and auth), PFS group etc..etc..). On Mon, 2003-10-06 at 15:36, lennonjs wrote: > Dear friends, > > I have a problem, I am trying to establish a tunnel with > other company that possesses a firewall same to mine - Cisco > Pix 515, but I don't get, the presented message is the > following: > > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > OAK_QM exchange > oakley_process_quick_mode: > OAK_QM_IDLE > ISAKMP (0): processing SA payload. message ID = 3011867608 > > ISAKMP : Checking IPSec proposal 1 > > ISAKMP: transform 1, ESP_3DES > ISAKMP: attributes in transform: > ISAKMP: encaps is 1 > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (basic) of 28800 > ISAKMP: SA life type in kilobytes > ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 > ISAKMP: authenticator is HMAC-MD5 > ISAKMP: group is 2 > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP (0): SA not acceptable! > ISAKMP (0): sending NOTIFY message 14 protocol 0 > return status is IKMP_ERR_NO_RETRANS** > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > ISAKMP (0:0): phase 2 packet is a duplicate of a previous > packet. > crypto_isakmp_process_block: x.x.x.2, dest x.x.x.131 > ISAKMP (0:0): phase 2 packet is a duplicate of a previous > packet. > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > ISAKMP (0:0): phase 2 packet is a duplicate of a previous > packet. > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > ISAKMP (0:0): phase 2 packet is a duplicate of a previous > packet. > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > VPN Peer: ISAKMP: Peer ip:200.182.223.2 Ref cnt incremented > to:2 Total VPN Peers > :2 > OAK_MM exchange > ISAKMP (0): processing SA payload. message ID = 0 > > ISAKMP (0): Checking ISAKMP transform 1 against priority 1 > policy > ISAKMP: encryption 3DES-CBC > ISAKMP: hash MD5 > ISAKMP: default group 2 > ISAKMP: auth pre-share > ISAKMP: life type in seconds > ISAKMP: life duration (basic) of 7200 > ISAKMP (0): atts are acceptable. Next payload is 3 > ISAKMP (0): SA is doing pre-shared key authentication using > id type ID_IPV4_ADDR > return status is IKMP_NO_ERROR > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > OAK_MM exchange > ISAKMP (0): processing KE payload. message ID = 0 > > ISAKMP (0): processing NONCE payload. message ID = 0 > > ISAKMP (0): processing vendor id payload > > ISAKMP (0): processing vendor id payload > > ISAKMP (0): remote peer supports dead peer detection > > ISAKMP (0): processing vendor id payload > > ISAKMP (0): speaking to another IOS box! > > return status is IKMP_NO_ERROR > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > OAK_MM exchange > ISAKMP (0): processing ID payload. message ID = 0 > ISAKMP (0): processing HASH payload. message ID = 0 > ISAKMP (0): SA has been authenticated > > ISAKMP (0): ID payload > next-payload : 8 > type : 1 > protocol : 17 > port : 500 > length : 8 > ISAKMP (0): Total payload length: 12 > return status is IKMP_NO_ERROR > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > OAK_QM exchange > oakley_process_quick_mode: > OAK_QM_IDLE > ISAKMP (0): processing SA payload. message ID = 1458594770 > > ISAKMP : Checking IPSec proposal 1 > > ISAKMP: transform 1, ESP_3DES > ISAKMP: attributes in transform: > ISAKMP: encaps is 1 > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (basic) of 28800 > ISAKMP: SA life type in kilobytes > ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 > ISAKMP: authenticator is HMAC-MD5 > ISAKMP: group is 2 > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP (0): SA not acceptable! > ISAKMP (0): sending NOTIFY message 14 protocol 0 > return status is IKMP_ERR_NO_RETRANS > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > ISAKMP (0): processing DELETE payload. message ID = 3302399666 > ISAKMP (0): deleting SA: src x.x.x.2, dst x.x.x.131 > return status is IKMP_NO_ERR_NO_TRANS > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > ISAKMP (0): processing NOTIFY payload 24578 protocol 1 > spi 0, message ID = 1981775628 > ISAKMP (0): processing notify INITIAL_CONTACT > return status is IKMP_NO_ERR_NO_TRANS > ISADB: reaper checking SA 0x8161af60, conn_id = 0 > ISADB: reaper checking SA 0x81530c78, conn_id = 0 DELETE IT! > > VPN Peer: ISAKMP: Peer ip:x.x.x.2 Ref cnt decremented to:1 > Total VPN Peers > :2 > ISADB: reaper checking SA 0x8161af60, conn_id = 0 > ISADB: reaper checking SA 0x81617f48, conn_id = 0 > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > ISAKMP (0:0): phase 2 packet is a duplicate of a previous > packet. > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > OAK_QM exchange > oakley_process_quick_mode: > OAK_QM_IDLE > ISAKMP (0): processing SA payload. message ID = 933563993 > > > Please, does anybody know him what this can be? > > > Thanks > > Lennon > > > --- > Acabe com aquelas janelinhas que pulam na sua tela. > AntiPop-up UOL - ? gr??tis! > http://antipopup.uol.com.br > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From hakan.palm at generic.se Tue Oct 7 07:02:34 2003 From: hakan.palm at generic.se (hakan.palm at generic.se) Date: Tue, 7 Oct 2003 13:02:34 +0200 Subject: Ang: [VPN] Help - Problem VPN Cisco Pix 515E Message-ID: Lennon, it would help if you could post the IPSec configuration from both firewalls and the debug from both firewalls. Anyway, it seems like you have mismatch in the transform-set. Verify that the used transform-sets on both sides match. HTH Regards, /Palm lennonjs at uol.com.br 2003-10-07 02:27 Till: VPN at lists.shmoo.com @ INTERNET Kopia: (Blank: Hakan Palm/Generic) ?rende: [VPN] Help - Problem VPN Cisco Pix 515E Dear friends, I have a problem, I am trying to establish a tunnel with other company that possesses a firewall same to mine - Cisco Pix 515, but I don't get, the presented message is the following: crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 3011867608 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-MD5 ISAKMP: group is 2 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS** crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: x.x.x.2, dest x.x.x.131 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 VPN Peer: ISAKMP: Peer ip:200.182.223.2 Ref cnt incremented to:2 Total VPN Peers :2 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 7200 ISAKMP (0): atts are acceptable. Next payload is 3 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): processing vendor id payload ISAKMP (0): speaking to another IOS box! return status is IKMP_NO_ERROR crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 1458594770 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-MD5 ISAKMP: group is 2 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0): processing DELETE payload. message ID = 3302399666 ISAKMP (0): deleting SA: src x.x.x.2, dst x.x.x.131 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0): processing NOTIFY payload 24578 protocol 1 spi 0, message ID = 1981775628 ISAKMP (0): processing notify INITIAL_CONTACT return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0x8161af60, conn_id = 0 ISADB: reaper checking SA 0x81530c78, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip:x.x.x.2 Ref cnt decremented to:1 Total VPN Peers :2 ISADB: reaper checking SA 0x8161af60, conn_id = 0 ISADB: reaper checking SA 0x81617f48, conn_id = 0 crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 933563993 Please, does anybody know him what this can be? Thanks Lennon --- Acabe com aquelas janelinhas que pulam na sua tela. AntiPop-up UOL - ? gr?tis! http://antipopup.uol.com.br _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From losttoy2000 at yahoo.co.uk Tue Oct 7 08:29:37 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Tue, 7 Oct 2003 13:29:37 +0100 (BST) Subject: [VPN] Help - Problem VPN Cisco Pix 515E In-Reply-To: Message-ID: <20031007122937.18922.qmail@web86301.mail.ukl.yahoo.com> Your phase-I seems to be ok. Could it be that your peer isn't getting your reply regarding phase-II proposal? One reason could be that your or your peer's ISP is blocking IPSec? So while ISAKMP (UDP 500) goes thru but phase-II IPSec (protocol ID 50 and 51) dont go thru?? Just guessing. --- lennonjs wrote: > Dear friends, > > I have a problem, I am trying to establish a tunnel > with > other company that possesses a firewall same to mine > - Cisco > Pix 515, but I don't get, the presented message is > the > following: > > crypto_isakmp_process_block: src x.x.x.2, dest > x.x.x.131 > OAK_QM exchange > oakley_process_quick_mode: > OAK_QM_IDLE > ISAKMP (0): processing SA payload. message ID = > 3011867608 > > ISAKMP : Checking IPSec proposal 1 > > ISAKMP: transform 1, ESP_3DES > ISAKMP: attributes in transform: > ISAKMP: encaps is 1 > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (basic) of 28800 > ISAKMP: SA life type in kilobytes > ISAKMP: SA life duration (VPI) of 0x0 0x46 > 0x50 0x0 > ISAKMP: authenticator is HMAC-MD5 > ISAKMP: group is 2 > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP (0): SA not acceptable! > ISAKMP (0): sending NOTIFY message 14 protocol 0 > return status is IKMP_ERR_NO_RETRANS** > crypto_isakmp_process_block: src x.x.x.2, dest > x.x.x.131 > ISAKMP (0:0): phase 2 packet is a duplicate of a > previous > packet. > crypto_isakmp_process_block: x.x.x.2, dest x.x.x.131 > ISAKMP (0:0): phase 2 packet is a duplicate of a > previous > packet. > crypto_isakmp_process_block: src x.x.x.2, dest > x.x.x.131 > ISAKMP (0:0): phase 2 packet is a duplicate of a > previous > packet. > crypto_isakmp_process_block: src x.x.x.2, dest > x.x.x.131 > ISAKMP (0:0): phase 2 packet is a duplicate of a > previous > packet. > crypto_isakmp_process_block: src x.x.x.2, dest > x.x.x.131 > VPN Peer: ISAKMP: Peer ip:200.182.223.2 Ref cnt > incremented > to:2 Total VPN Peers > :2 > OAK_MM exchange > ISAKMP (0): processing SA payload. message ID = 0 > > ISAKMP (0): Checking ISAKMP transform 1 against > priority 1 > policy > ISAKMP: encryption 3DES-CBC > ISAKMP: hash MD5 > ISAKMP: default group 2 > ISAKMP: auth pre-share > ISAKMP: life type in seconds > ISAKMP: life duration (basic) of 7200 > ISAKMP (0): atts are acceptable. Next payload is 3 > ISAKMP (0): SA is doing pre-shared key > authentication using > id type ID_IPV4_ADDR > return status is IKMP_NO_ERROR > crypto_isakmp_process_block: src x.x.x.2, dest > x.x.x.131 > OAK_MM exchange > ISAKMP (0): processing KE payload. message ID = 0 > > ISAKMP (0): processing NONCE payload. message ID = 0 > > ISAKMP (0): processing vendor id payload > > ISAKMP (0): processing vendor id payload > > ISAKMP (0): remote peer supports dead peer detection > > ISAKMP (0): processing vendor id payload > > ISAKMP (0): speaking to another IOS box! > > return status is IKMP_NO_ERROR > crypto_isakmp_process_block: src x.x.x.2, dest > x.x.x.131 > OAK_MM exchange > ISAKMP (0): processing ID payload. message ID = 0 > ISAKMP (0): processing HASH payload. message ID = 0 > ISAKMP (0): SA has been authenticated > > ISAKMP (0): ID payload > next-payload : 8 > type : 1 > protocol : 17 > port : 500 > length : 8 > ISAKMP (0): Total payload length: 12 > return status is IKMP_NO_ERROR > crypto_isakmp_process_block: src x.x.x.2, dest > x.x.x.131 > OAK_QM exchange > oakley_process_quick_mode: > OAK_QM_IDLE > ISAKMP (0): processing SA payload. message ID = > 1458594770 > > ISAKMP : Checking IPSec proposal 1 > > ISAKMP: transform 1, ESP_3DES > ISAKMP: attributes in transform: > ISAKMP: encaps is 1 > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (basic) of 28800 > ISAKMP: SA life type in kilobytes > ISAKMP: SA life duration (VPI) of 0x0 0x46 > 0x50 0x0 > ISAKMP: authenticator is HMAC-MD5 > ISAKMP: group is 2 > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP (0): SA not acceptable! > ISAKMP (0): sending NOTIFY message 14 protocol 0 > return status is IKMP_ERR_NO_RETRANS > crypto_isakmp_process_block: src x.x.x.2, dest > x.x.x.131 > ISAKMP (0): processing DELETE payload. message ID = > 3302399666 > ISAKMP (0): deleting SA: src x.x.x.2, dst x.x.x.131 > return status is IKMP_NO_ERR_NO_TRANS > crypto_isakmp_process_block: src x.x.x.2, dest > x.x.x.131 > ISAKMP (0): processing NOTIFY payload 24578 protocol > 1 > spi 0, message ID = 1981775628 > ISAKMP (0): processing notify INITIAL_CONTACT > return status is IKMP_NO_ERR_NO_TRANS > ISADB: reaper checking SA 0x8161af60, conn_id = 0 > ISADB: reaper checking SA 0x81530c78, conn_id = 0 > DELETE IT! > > VPN Peer: ISAKMP: Peer ip:x.x.x.2 Ref cnt > decremented to:1 > Total VPN Peers > :2 > ISADB: reaper checking SA 0x8161af60, conn_id = 0 > ISADB: reaper checking SA 0x81617f48, conn_id = 0 > crypto_isakmp_process_block: src x.x.x.2, dest > x.x.x.131 > ISAKMP (0:0): phase 2 packet is a duplicate of a > previous > packet. > crypto_isakmp_process_block: src x.x.x.2, dest > x.x.x.131 > OAK_QM exchange > oakley_process_quick_mode: > OAK_QM_IDLE > ISAKMP (0): processing SA payload. message ID = > 933563993 > > > Please, does anybody know him what this can be? > > > Thanks > > Lennon > > > --- > Acabe com aquelas janelinhas que pulam na sua tela. > AntiPop-up UOL - ? gr?tis! > http://antipopup.uol.com.br > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk From Andrew.Prince at TrinitySecurity.com Tue Oct 7 12:36:41 2003 From: Andrew.Prince at TrinitySecurity.com (Andrew Prince) Date: Tue, 7 Oct 2003 17:36:41 +0100 Subject: [VPN] Help - Problem VPN Cisco Pix 515E In-Reply-To: <1065520287.2645.12.camel@gardafou> Message-ID: <000801c38cf1$3010f310$0201a8c0@phobos> You do not have to same (identical configuration) at both ends. Check your ISAKMP Encryption, HASH and DiffeHellman Group - if these do not match, phase 1 will fail. Also ensure you IPSEC transform set at both ends also match. > > I have a problem, I am trying to establish a tunnel with > other company that possesses a firewall same to mine - Cisco > Pix 515, but I don't get, the presented message is the > following: > > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 OAK_QM > exchange > oakley_process_quick_mode: > OAK_QM_IDLE > ISAKMP (0): processing SA payload. message ID = 3011867608 > > ISAKMP : Checking IPSec proposal 1 > > ISAKMP: transform 1, ESP_3DES > ISAKMP: attributes in transform: > ISAKMP: encaps is 1 > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (basic) of 28800 > ISAKMP: SA life type in kilobytes > ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 > ISAKMP: authenticator is HMAC-MD5 > ISAKMP: group is 2 > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP (0): SA not acceptable! > ISAKMP (0): sending NOTIFY message 14 protocol 0 > return status is IKMP_ERR_NO_RETRANS** > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0:0): > phase 2 packet is a duplicate of a previous packet. > crypto_isakmp_process_block: x.x.x.2, dest x.x.x.131 > ISAKMP (0:0): phase 2 packet is a duplicate of a previous > packet. > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > ISAKMP (0:0): phase 2 packet is a duplicate of a previous > packet. > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > ISAKMP (0:0): phase 2 packet is a duplicate of a previous > packet. > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > VPN Peer: ISAKMP: Peer ip:200.182.223.2 Ref cnt incremented > to:2 Total VPN Peers > :2 > OAK_MM exchange > ISAKMP (0): processing SA payload. message ID = 0 > > ISAKMP (0): Checking ISAKMP transform 1 against priority 1 > policy > ISAKMP: encryption 3DES-CBC > ISAKMP: hash MD5 > ISAKMP: default group 2 > ISAKMP: auth pre-share > ISAKMP: life type in seconds > ISAKMP: life duration (basic) of 7200 > ISAKMP (0): atts are acceptable. Next payload is 3 > ISAKMP (0): SA is doing pre-shared key authentication using > id type ID_IPV4_ADDR > return status is IKMP_NO_ERROR > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > OAK_MM exchange > ISAKMP (0): processing KE payload. message ID = 0 > > ISAKMP (0): processing NONCE payload. message ID = 0 > > ISAKMP (0): processing vendor id payload > > ISAKMP (0): processing vendor id payload > > ISAKMP (0): remote peer supports dead peer detection > > ISAKMP (0): processing vendor id payload > > ISAKMP (0): speaking to another IOS box! > > return status is IKMP_NO_ERROR > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 OAK_MM > exchange ISAKMP (0): processing ID payload. message ID = 0 > ISAKMP (0): processing HASH payload. message ID = 0 > ISAKMP (0): SA has been authenticated > > ISAKMP (0): ID payload > next-payload : 8 > type : 1 > protocol : 17 > port : 500 > length : 8 > ISAKMP (0): Total payload length: 12 > return status is IKMP_NO_ERROR > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 OAK_QM > exchange > oakley_process_quick_mode: > OAK_QM_IDLE > ISAKMP (0): processing SA payload. message ID = 1458594770 > > ISAKMP : Checking IPSec proposal 1 > > ISAKMP: transform 1, ESP_3DES > ISAKMP: attributes in transform: > ISAKMP: encaps is 1 > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (basic) of 28800 > ISAKMP: SA life type in kilobytes > ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 > ISAKMP: authenticator is HMAC-MD5 > ISAKMP: group is 2 > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP (0): SA not acceptable! > ISAKMP (0): sending NOTIFY message 14 protocol 0 > return status is IKMP_ERR_NO_RETRANS > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0): > processing DELETE payload. message ID = 3302399666 ISAKMP (0): > deleting SA: src x.x.x.2, dst x.x.x.131 return status is > IKMP_NO_ERR_NO_TRANS > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 ISAKMP (0): > processing NOTIFY payload 24578 protocol 1 > spi 0, message ID = 1981775628 > ISAKMP (0): processing notify INITIAL_CONTACT > return status is IKMP_NO_ERR_NO_TRANS > ISADB: reaper checking SA 0x8161af60, conn_id = 0 > ISADB: reaper checking SA 0x81530c78, conn_id = 0 DELETE IT! > > VPN Peer: ISAKMP: Peer ip:x.x.x.2 Ref cnt decremented to:1 > Total VPN Peers > :2 > ISADB: reaper checking SA 0x8161af60, conn_id = 0 > ISADB: reaper checking SA 0x81617f48, conn_id = 0 > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > ISAKMP (0:0): phase 2 packet is a duplicate of a previous > packet. > crypto_isakmp_process_block: src x.x.x.2, dest x.x.x.131 > OAK_QM exchange > oakley_process_quick_mode: > OAK_QM_IDLE > ISAKMP (0): processing SA payload. message ID = 933563993 > > > Please, does anybody know him what this can be? > > > Thanks > > Lennon > > > --- > Acabe com aquelas janelinhas que pulam na sua tela. AntiPop-up UOL - ? > gr??tis! http://antipopup.uol.com.br > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From losttoy2000 at yahoo.co.uk Tue Oct 7 12:45:08 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Tue, 7 Oct 2003 17:45:08 +0100 (BST) Subject: [VPN] IPSEC over UDP or TCP In-Reply-To: Message-ID: <20031007164508.77862.qmail@web86305.mail.ukl.yahoo.com> Advantages: Beats ISP blocking of IPSec traffic and overcomes NAT difficulties. Cons: Decreases throughput because you have higher overheads. Original packet inside IPSec inside TCP/UDP packet. --- "Shivdasani, Meenoo" wrote: > > I'm interested in people's experiences with > implementing IPSEC over UDP > or TCP. > > Benefits? Disadvantages? > > Thanks in advance, > > M > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk From waltr at umich.edu Tue Oct 7 13:06:50 2003 From: waltr at umich.edu (Walt Reynolds) Date: Tue, 7 Oct 2003 13:06:50 -0400 (EDT) Subject: [VPN] IPSEC over UDP or TCP In-Reply-To: <20031007164508.77862.qmail@web86305.mail.ukl.yahoo.com> References: <20031007164508.77862.qmail@web86305.mail.ukl.yahoo.com> Message-ID: Has there been confirmation that ISP's are blocking IPSec traffic. There seems to be a lot of rumors and speculation, but seems urban legend to me at this point. On Tue, 7 Oct 2003, [iso-8859-1] Siddhartha Jain wrote: > Advantages: Beats ISP blocking of IPSec traffic and > overcomes NAT difficulties. > > Cons: Decreases throughput because you have higher > overheads. Original packet inside IPSec inside TCP/UDP > packet. > > > > --- "Shivdasani, Meenoo" > wrote: > > > I'm interested in people's experiences with > > implementing IPSEC over UDP > > or TCP. > > > > Benefits? Disadvantages? > > > > Thanks in advance, > > > > M > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn > > ________________________________________________________________________ > Want to chat instantly with your online friends? Get the FREE Yahoo! > Messenger http://mail.messenger.yahoo.co.uk > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > -- Walt Reynolds University of Michigan From Andrew.Prince at TrinitySecurity.com Tue Oct 7 13:13:10 2003 From: Andrew.Prince at TrinitySecurity.com (Andrew Prince) Date: Tue, 7 Oct 2003 18:13:10 +0100 Subject: [VPN] IPSEC over UDP or TCP In-Reply-To: Message-ID: <001201c38cf6$48b8a610$0201a8c0@phobos> Pro's - You can use it via ISP's that would normally block/drop IPSEC VPN traffic, also bypass the problems with some equipment that do not understand VPN's or allow VPN Pass thru. Con's - Incorrect configurations on VPN device and subsequent firewall devices, larger TCP packet = higher latency's. -----Original Message----- From: vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com [mailto:vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com] On Behalf Of Shivdasani, Meenoo Sent: 07 October 2003 04:44 To: VPN at lists.shmoo.com Subject: [VPN] IPSEC over UDP or TCP I'm interested in people's experiences with implementing IPSEC over UDP or TCP. Benefits? Disadvantages? Thanks in advance, M _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From strgout at unixjunkie.com Tue Oct 7 14:04:35 2003 From: strgout at unixjunkie.com (John) Date: Tue, 7 Oct 2003 13:04:35 -0500 Subject: [VPN] IPSEC over UDP or TCP In-Reply-To: References: Message-ID: <20031007180435.GA2202@mail.unixjunkie.com> On Mon, Oct 06, 2003 at 11:43:59PM -0400, Shivdasani, Meenoo wrote: > > I'm interested in people's experiences with implementing IPSEC over UDP > or TCP. > > Benefits? Disadvantages? > > Thanks in advance, > > M I've setup IPSEC over UDP before and found it to work quite nice. If there is some kind of option for sending keepallives i would enable it, if anything just to keep the udp connection in the statetable on the firewall fresh. I haven't tried TCP just because i didn't want worry about tcp mss/pmtu/frag issues. oh btw that was with a cisco 3030 vpn concentrator. From byazji at psualum.com Tue Oct 7 18:17:42 2003 From: byazji at psualum.com (Bill Yazji) Date: Tue, 7 Oct 2003 17:17:42 -0500 Subject: [VPN] IPSEC over UDP or TCP In-Reply-To: <20031007164508.77862.qmail@web86305.mail.ukl.yahoo.com> Message-ID: Quantify your "con" - significant testing has shown this really isn't the case.... ~B -----Original Message----- From: vpn-bounces+byazji=psualum.com at lists.shmoo.com [mailto:vpn-bounces+byazji=psualum.com at lists.shmoo.com]On Behalf Of Siddhartha Jain Sent: Tuesday, October 07, 2003 11:45 AM To: VPN at lists.shmoo.com Subject: Re: [VPN] IPSEC over UDP or TCP Advantages: Beats ISP blocking of IPSec traffic and overcomes NAT difficulties. Cons: Decreases throughput because you have higher overheads. Original packet inside IPSec inside TCP/UDP packet. --- "Shivdasani, Meenoo" wrote: > > I'm interested in people's experiences with > implementing IPSEC over UDP > or TCP. > > Benefits? Disadvantages? > > Thanks in advance, > > M > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From fred.goldberg at lmco.com Wed Oct 8 14:59:39 2003 From: fred.goldberg at lmco.com (Goldberg, Fred) Date: Wed, 08 Oct 2003 14:59:39 -0400 Subject: [VPN] VPN and broadband. Message-ID: <18688A1F3CE8364891AE1A028892BC9F03138AE3@EMSS04M19.us.lmco.com> I have had some definite reports that they are flteirng VPNs, and I also have first hand knowledge that in other places they are not. It seems to vary with the local branch of the network that serves you. When they first announced this they clarified the statement within a few days to say they were not going after the guy who comes home in the evening and checks his email, they are looking for people who regularly work from home at residential rates. Nonetheless the reports that it is actually blocked on some parts of their network persist. Fred -----Original Message----- From: Walt Reynolds [mailto:waltr at umich.edu] Sent: Friday, October 03, 2003 7:11 AM To: Joe S Cc: vpn at lists.shmoo.com; Galeotos,John Subject: Re: [VPN] VPN and broadband. There are rumors of this filtering, but no realities to it as far as I can tell. I can tell you specifically that comcast is NOT filtering those ports at this time. On Thu, 2 Oct 2003, Joe S wrote: > My best guess is this: many companies are now filtering out IPSEC ports 50, 51 and 500 to keep VPN off their networks, unless you pay a premium. Comcast is one of the culprits, which has a major impact to many customers. Standard cable internet service is $30 a month, their pro service which does nothing more but pass these ports and allow you to host if you are so inclined. > > The moral to this story, if there is one, is that connection services are no longer going to offer the free ride that the 'Net is famous for. Time to change the business model, again. > > -----Original Message----- > From: "Galeotos, John" > Sent: Oct 1, 2003 9:26 AM > To: vpn at lists.shmoo.com > Subject: [VPN] VPN and broadband. > > > Hello, > > Mostly I just read the list and try to digest the information, but > currently I've > run into a situation where I could use some help. We have one user > that has > never been able to access the VPN using his Bresnan broadband > account. > I have several users that utilize the same service and have never > run into any > problems. I suspect it is something physical at his home, whether it > is cabling > or something similar. This is coming from a stance of very limited > knowledge > about his set up. We did look at the laptop and we were able to get > VPN'd in > using dial up ISP. We are using Cisco client on XP laptops and this > is the > only PC that has had any problems. Possibly a network config > problem? Any > idea where I should go next? Just troubleshooting here so any ideas > would > be appreciated. Thanks in advance. > > John E. Galeotos > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > -- Walt Reynolds University of Michigan _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From jef at linuxbe.org Thu Oct 9 02:43:31 2003 From: jef at linuxbe.org (Jean-Francois Dive) Date: Thu, 09 Oct 2003 08:43:31 +0200 Subject: [VPN] IPSEC over UDP or TCP In-Reply-To: References: Message-ID: <1065681811.1416.8.camel@gardafou> The real point in this is that using TCP to encapsulate IP traffic which itself consist of TCP traffic is a very bad idea, UDP is the go. Why ? In case of congestion, there is a clash between the 2 tcp session timers: the outer one (the carrying one) will retransmit the lost/non-acked segments. This mean that for the inner TCP session (the user traffic), it wont receive any packet for a while, make it drop very much it's sending rate. For more details, have a look to http://sites.inka.de/sites/bigred/devel/tcp-tcp.html As of overhead is concerned, i really dont think this is a real argument, i still wait on seeing numbers. On Wed, 2003-10-08 at 00:17, Bill Yazji wrote: > Quantify your "con" - significant testing has shown this really isn't the > case.... > > ~B > > -----Original Message----- > From: vpn-bounces+byazji=psualum.com at lists.shmoo.com > [mailto:vpn-bounces+byazji=psualum.com at lists.shmoo.com]On Behalf Of > Siddhartha Jain > Sent: Tuesday, October 07, 2003 11:45 AM > To: VPN at lists.shmoo.com > Subject: Re: [VPN] IPSEC over UDP or TCP > > > Advantages: Beats ISP blocking of IPSec traffic and > overcomes NAT difficulties. > > Cons: Decreases throughput because you have higher > overheads. Original packet inside IPSec inside TCP/UDP > packet. > > > > --- "Shivdasani, Meenoo" > wrote: > > > I'm interested in people's experiences with > > implementing IPSEC over UDP > > or TCP. > > > > Benefits? Disadvantages? > > > > Thanks in advance, > > > > M > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn > > ________________________________________________________________________ > Want to chat instantly with your online friends? Get the FREE Yahoo! > Messenger http://mail.messenger.yahoo.co.uk > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From asaine at qanet.gm Thu Oct 9 14:05:32 2003 From: asaine at qanet.gm (Anna Secka Saine) Date: Thu, 09 Oct 2003 18:05:32 +0000 Subject: [VPN] Cannot get PIX 501 version 6.3 (1) to work with NAT Message-ID: <3F85A36C.3090505@qanet.gm> I seem to have trouble with NAT on the above version. The PIX can ping but the machines inside cannot ping or browse. I did have nat enabled, i.e. nat (inside) 1 0 0. The same configurations works on version 6.2 (2). Any ideas. Thanks. From keithp at corp.ptd.net Thu Oct 9 14:34:16 2003 From: keithp at corp.ptd.net (Keith Pachulski) Date: Thu, 9 Oct 2003 14:34:16 -0400 Subject: [VPN] Cannot get PIX 501 version 6.3 (1) to work with NAT Message-ID: not sure how this question applies to this list but anyhow -- did you use the global statement to define the interface to translate to or a pool to translate too? global (outside) 1 interface - example -----Original Message----- From: Anna Secka Saine [mailto:asaine at qanet.gm] Sent: Thursday, October 09, 2003 2:06 PM To: vpn at lists.shmoo.com Subject: [VPN] Cannot get PIX 501 version 6.3 (1) to work with NAT I seem to have trouble with NAT on the above version. The PIX can ping but the machines inside cannot ping or browse. I did have nat enabled, i.e. nat (inside) 1 0 0. The same configurations works on version 6.2 (2). Any ideas. Thanks. _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From Andrew.Prince at TrinitySecurity.com Thu Oct 9 14:49:59 2003 From: Andrew.Prince at TrinitySecurity.com (Andrew Prince) Date: Thu, 9 Oct 2003 19:49:59 +0100 Subject: [VPN] Cannot get PIX 501 version 6.3 (1) to work with NAT In-Reply-To: <3F85A36C.3090505@qanet.gm> Message-ID: <000401c38e96$241fd390$0700000a@DEIMOS> Are you trying to interface NAT (the outside interface) or are you trying to NAT to a specific IP address?? -----Original Message----- From: vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com [mailto:vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com] On Behalf Of Anna Secka Saine Sent: 09 October 2003 19:06 To: vpn at lists.shmoo.com Subject: [VPN] Cannot get PIX 501 version 6.3 (1) to work with NAT I seem to have trouble with NAT on the above version. The PIX can ping but the machines inside cannot ping or browse. I did have nat enabled, i.e. nat (inside) 1 0 0. The same configurations works on version 6.2 (2). Any ideas. Thanks. _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From jsdy at center.osis.gov Thu Oct 9 15:24:44 2003 From: jsdy at center.osis.gov (Joseph S D Yao) Date: Thu, 9 Oct 2003 15:24:44 -0400 Subject: [VPN] IPSEC over UDP or TCP In-Reply-To: References: <20031007164508.77862.qmail@web86305.mail.ukl.yahoo.com> Message-ID: <20031009152444.N21828@franklin.center.osis.gov> On Tue, Oct 07, 2003 at 01:06:50PM -0400, Walt Reynolds wrote: > Has there been confirmation that ISP's are blocking IPSec traffic. There > seems to be a lot of rumors and speculation, but seems urban legend to me > at this point. The late @Home network did. As you say, there is rumor that other ISP's also did so, but I don't know who is actually doing this. -- Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao OSIS Center Systems Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies. From HKeiner at bart.gov Thu Oct 9 17:38:16 2003 From: HKeiner at bart.gov (HKeiner at bart.gov) Date: Thu, 9 Oct 2003 14:38:16 -0700 Subject: [VPN] Audit Program for VPN Message-ID: Hi, I saw the below message on a bulletin board and was wondering if you got a response and now have such an audit program. If so, would you be willing to share it? I am an internal audit manager for an organization that has VPNs and I would like one of my EDP audit staff to do an audit of this area. Thanks, Hal Keiner Internal Audit Manager Bay Area Rapid Transit District 510-464-7570 ----------------------------------------------------------------------------------------- Howdy All! I've searched the archives to no avail, so I would like to tap your resources and knowledge.... Does anyone have a copy of an audit program utilized by internal/IT auditors to audit VPN implementation, policies, and procedures? I've researched the best practices, and it has provided some insight, but I would like to see an actual VPN audit program - if possible! Thanks! Bobby ----------------------------------------------------- From dr_t1mel0rd at hotmail.com Thu Oct 9 21:15:12 2003 From: dr_t1mel0rd at hotmail.com (Dr T1meL0rD) Date: Thu, 09 Oct 2003 21:15:12 -0400 Subject: [VPN] Cannot get PIX 501 version 6.3 (1) to work with NAT Message-ID: A more appropriate forum would be the firewall wizards list at firewall-wizards at honor.icsalabs.com -----Original Message----- From: Keith Pachulski [mailto:keithp at corp.ptd.net] Sent: Thursday, October 09, 2003 2:34 PM To: Anna Secka Saine; vpn at lists.shmoo.com Subject: RE: [VPN] Cannot get PIX 501 version 6.3 (1) to work with NAT not sure how this question applies to this list but anyhow -- did you use the global statement to define the interface to translate to or a pool to translate too? global (outside) 1 interface - example -----Original Message----- From: Anna Secka Saine [mailto:asaine at qanet.gm] Sent: Thursday, October 09, 2003 2:06 PM To: vpn at lists.shmoo.com Subject: [VPN] Cannot get PIX 501 version 6.3 (1) to work with NAT I seem to have trouble with NAT on the above version. The PIX can ping but the machines inside cannot ping or browse. I did have nat enabled, i.e. nat (inside) 1 0 0. The same configurations works on version 6.2 (2). Any ideas. Thanks. _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _________________________________________________________________ Get MSN 8 Dial-up Internet Service FREE for one month. Limited time offer-- sign up now! http://join.msn.com/?page=dept/dialup From evyncke at cisco.com Fri Oct 10 12:01:26 2003 From: evyncke at cisco.com (Eric Vyncke) Date: Fri, 10 Oct 2003 18:01:26 +0200 Subject: [VPN] IPSEC over UDP or TCP In-Reply-To: References: <20031007164508.77862.qmail@web86305.mail.ukl.yahoo.com> <20031007164508.77862.qmail@web86305.mail.ukl.yahoo.com> Message-ID: <5.1.0.14.2.20031010180105.02fe1368@localhost> At 13:06 7/10/2003 -0400, Walt Reynolds wrote: >Has there been confirmation that ISP's are blocking IPSec traffic. There >seems to be a lot of rumors and speculation, but seems urban legend to me >at this point. This is actually a matter of fact at least in a couple of European countries... -eric From losttoy2000 at yahoo.co.uk Fri Oct 10 13:53:34 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Fri, 10 Oct 2003 18:53:34 +0100 (BST) Subject: [VPN] IPSEC over UDP or TCP In-Reply-To: Message-ID: <20031010175334.25923.qmail@web86308.mail.ukl.yahoo.com> Thats interesting. I assumed a higher overhead for obvious reasons. Can you point to any studies or white papers proving that NAT-T doesn't affect performance?? Thanks, Siddhartha --- Bill Yazji wrote: > Quantify your "con" - significant testing has shown > this really isn't the > case.... > > ~B > > -----Original Message----- > From: vpn-bounces+byazji=psualum.com at lists.shmoo.com > [mailto:vpn-bounces+byazji=psualum.com at lists.shmoo.com]On > Behalf Of > Siddhartha Jain > Sent: Tuesday, October 07, 2003 11:45 AM > To: VPN at lists.shmoo.com > Subject: Re: [VPN] IPSEC over UDP or TCP > > > Advantages: Beats ISP blocking of IPSec traffic and > overcomes NAT difficulties. > > Cons: Decreases throughput because you have higher > overheads. Original packet inside IPSec inside > TCP/UDP > packet. > > > > --- "Shivdasani, Meenoo" > wrote: > > > I'm interested in people's experiences with > > implementing IPSEC over UDP > > or TCP. > > > > Benefits? Disadvantages? > > > > Thanks in advance, > > > > M > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn > > ________________________________________________________________________ > Want to chat instantly with your online friends? > Get the FREE Yahoo! > Messenger http://mail.messenger.yahoo.co.uk > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk From losttoy2000 at yahoo.co.uk Sat Oct 11 07:55:08 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Sat, 11 Oct 2003 12:55:08 +0100 (BST) Subject: Fwd: RE: [VPN] IPSEC over UDP or TCP Message-ID: <20031011115508.41015.qmail@web86310.mail.ukl.yahoo.com> So did you do testing on your own?? Can you provide some results or test methodology? --- Bill Yazji wrote: > From: "Bill Yazji" > To: "Siddhartha Jain" > Subject: RE: [VPN] IPSEC over UDP or TCP > Date: Fri, 10 Oct 2003 15:27:05 -0500 > > I haven't seen anything formal. Do you own testing! > > -----Original Message----- > From: vpn-bounces+byazji=psualum.com at lists.shmoo.com > [mailto:vpn-bounces+byazji=psualum.com at lists.shmoo.com]On > Behalf Of > Siddhartha Jain > Sent: Friday, October 10, 2003 12:54 PM > To: VPN at lists.shmoo.com > Subject: RE: [VPN] IPSEC over UDP or TCP > > > Thats interesting. I assumed a higher overhead for > obvious reasons. Can you point to any studies or > white > papers proving that NAT-T doesn't affect > performance?? > > Thanks, > > Siddhartha > > > > --- Bill Yazji wrote: > > Quantify > your "con" - significant testing has shown > > this really isn't the > > case.... > > > > ~B > > > > -----Original Message----- > > From: > vpn-bounces+byazji=psualum.com at lists.shmoo.com > > > [mailto:vpn-bounces+byazji=psualum.com at lists.shmoo.com]On > > Behalf Of > > Siddhartha Jain > > Sent: Tuesday, October 07, 2003 11:45 AM > > To: VPN at lists.shmoo.com > > Subject: Re: [VPN] IPSEC over UDP or TCP > > > > > > Advantages: Beats ISP blocking of IPSec traffic > and > > overcomes NAT difficulties. > > > > Cons: Decreases throughput because you have higher > > overheads. Original packet inside IPSec inside > > TCP/UDP > > packet. > > > > > > > > --- "Shivdasani, Meenoo" > > wrote: > > > > I'm interested in people's experiences with > > > implementing IPSEC over UDP > > > or TCP. > > > > > > Benefits? Disadvantages? > > > > > > Thanks in advance, > > > > > > M > > > _______________________________________________ > > > VPN mailing list > > > VPN at lists.shmoo.com > > > http://lists.shmoo.com/mailman/listinfo/vpn > > > > > ________________________________________________________________________ > > Want to chat instantly with your online friends? > > Get the FREE Yahoo! > > Messenger http://mail.messenger.yahoo.co.uk > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn > > > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn > > ________________________________________________________________________ > Want to chat instantly with your online friends? > Get the FREE Yahoo! > Messenger http://mail.messenger.yahoo.co.uk > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk From shannon at gillenwater.name Sat Oct 11 12:05:27 2003 From: shannon at gillenwater.name (shannong) Date: Sat, 11 Oct 2003 11:05:27 -0500 Subject: [VPN] IPSEC over UDP or TCP In-Reply-To: <20031010175334.25923.qmail@web86308.mail.ukl.yahoo.com> Message-ID: <009601c39011$7fa48cc0$0101a8c0@ASTEROID> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: NAT-T is a standard and specifies only UDP over port 4500. Some vendors provide a proprietary method (namely Cisco) for UDP encapsulation over other defined ports and even with TCP. Most vendors' VPN clients do not allow the user to define the UDP port for the connection as the standard says to use 4500. However, some vendors' VPN clients do allow the configuration of the TCP port. Additionally, some vendors' VPN terminators (read Cisco)can be configured to listen on multiple TCP ports simultaneously. Therefore, another functional advantage of using TCP encapsulation instead of NAT-T (read UDP)is that the port for the IPSec connection can be defined by the client provided the VPN terminating device has been configured to listen on that TCP port. I find this very useful as I initiate VPN connections from varied and different networks as part of my consulting work. Many networks block all traffic except for "normal" business needs. Some networks allow only 80/443. Some networks allow 3389 for RDP, and others do not. Therefore, I have a lot more success with VPN tunnels by providing myself with 5 choices of TCP ports. I find that networks that are locked down and providing HTTP access through proxies still frequently allow 443 out without authentication or filtering due to the obvious added complexity of handshaking the SSL connection on both sides to look at the traffic and authenticate it. Therefore, TCP/443 has shown to be the most successful for me. I have also found that unrealiable connections like cable modems that experience high packet loss cause my TCP-IPSec connections to provide lower overall peformance due to the obvious problems of two entities attempting reliable retransmission of lost data and invoking the TCP slow-down algorithm. This is a casual observance rather than scientific measurement for which I have no corresponding data. - -----Original Message----- From: vpn-bounces+shannong=texas.net at lists.shmoo.com [mailto:vpn-bounces+shannong=texas.net at lists.shmoo.com] On Behalf Of Siddhartha Jain Sent: Friday, October 10, 2003 12:54 PM To: VPN at lists.shmoo.com Subject: RE: [VPN] IPSEC over UDP or TCP Thats interesting. I assumed a higher overhead for obvious reasons. Can you point to any studies or white papers proving that NAT-T doesn't affect performance?? Thanks, Siddhartha --- Bill Yazji wrote: > Quantify your "con" - significant testing has shown > this really isn't the > case.... > > ~B > > -----Original Message----- > From: vpn-bounces+byazji=psualum.com at lists.shmoo.com > [mailto:vpn-bounces+byazji=psualum.com at lists.shmoo.com]On > Behalf Of > Siddhartha Jain > Sent: Tuesday, October 07, 2003 11:45 AM > To: VPN at lists.shmoo.com > Subject: Re: [VPN] IPSEC over UDP or TCP > > > Advantages: Beats ISP blocking of IPSec traffic and > overcomes NAT difficulties. > > Cons: Decreases throughput because you have higher > overheads. Original packet inside IPSec inside > TCP/UDP > packet. > > > > --- "Shivdasani, Meenoo" > wrote: > > I'm interested in people's experiences with > > > > implementing IPSEC over UDP > > or TCP. > > > > Benefits? Disadvantages? > > > > Thanks in advance, > > > > M > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn > > ______________________________________________________________________ __ > Want to chat instantly with your online friends? > Get the FREE Yahoo! > Messenger http://mail.messenger.yahoo.co.uk > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn ______________________________________________________________________ __ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQA/AwUBP4gqRuzo5pjD9SKfEQJXCgCfVYLpdFLgfZaNn1crOiM6R+NzoOgAoJB1 2NZTZ9y5qodIVQnJfZPeUgPH =chEs -----END PGP SIGNATURE----- From vadiraj at deeproot.co.in Tue Oct 14 07:24:52 2003 From: vadiraj at deeproot.co.in (Vadiraj C S) Date: Tue, 14 Oct 2003 16:54:52 +0530 (IST) Subject: [VPN] VPN-Masquerade In-Reply-To: Message-ID: Hi Does latest kernel versions have VPN Masquerade support? Please let me know this as soon as possible. Thanks in advance. Vadiraj C S From jef at linuxbe.org Wed Oct 15 02:50:18 2003 From: jef at linuxbe.org (Jean-Francois Dive) Date: Wed, 15 Oct 2003 08:50:18 +0200 Subject: [VPN] IPSEC over UDP or TCP In-Reply-To: <009601c39011$7fa48cc0$0101a8c0@ASTEROID> References: <009601c39011$7fa48cc0$0101a8c0@ASTEROID> Message-ID: <1066200618.1212.2.camel@gardafou> What you define here is a generic tunnel encapsulation which exist in multiple forms. As far as IPSec is concerned, it should not be affected by such environment. NAT-T is designed to cope with nat, punt. If you want to cross a restrictive network, ISP, firewall, then you should use whatever_you_name_it tunnel technology to carry ipsec traffic. On Sat, 2003-10-11 at 18:05, shannong wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Note: NAT-T is a standard and specifies only UDP over port 4500. > Some vendors provide a proprietary method (namely Cisco) for UDP > encapsulation over other defined ports and even with TCP. Most > vendors' VPN clients do not allow the user to define the UDP port for > the connection as the standard says to use 4500. However, some > vendors' VPN clients do allow the configuration of the TCP port. > Additionally, some vendors' VPN terminators (read Cisco)can be > configured to listen on multiple TCP ports simultaneously. > > Therefore, another functional advantage of using TCP encapsulation > instead of NAT-T (read UDP)is that the port for the IPSec connection > can be defined by the client provided the VPN terminating device has > been configured to listen on that TCP port. I find this very useful > as I initiate VPN connections from varied and different networks as > part of my consulting work. Many networks block all traffic except > for "normal" business needs. Some networks allow only 80/443. Some > networks allow 3389 for RDP, and others do not. Therefore, I have a > lot more success with VPN tunnels by providing myself with 5 choices > of TCP ports. I find that networks that are locked down and > providing HTTP access through proxies still frequently allow 443 out > without authentication or filtering due to the obvious added > complexity of handshaking the SSL connection on both sides to look at > the traffic and authenticate it. Therefore, TCP/443 has shown to be > the most successful for me. > > I have also found that unrealiable connections like cable modems that > experience high packet loss cause my TCP-IPSec connections to provide > lower overall peformance due to the obvious problems of two entities > attempting reliable retransmission of lost data and invoking the TCP > slow-down algorithm. This is a casual observance rather than > scientific measurement for which I have no corresponding data. > > > > - -----Original Message----- > From: vpn-bounces+shannong=texas.net at lists.shmoo.com > [mailto:vpn-bounces+shannong=texas.net at lists.shmoo.com] On Behalf Of > Siddhartha Jain > Sent: Friday, October 10, 2003 12:54 PM > To: VPN at lists.shmoo.com > Subject: RE: [VPN] IPSEC over UDP or TCP > > > Thats interesting. I assumed a higher overhead for > obvious reasons. Can you point to any studies or white > papers proving that NAT-T doesn't affect performance?? > > Thanks, > > Siddhartha > > > > --- Bill Yazji wrote: > Quantify > your "con" - significant testing has shown > > this really isn't the > > case.... > > > > ~B > > > > -----Original Message----- > > From: vpn-bounces+byazji=psualum.com at lists.shmoo.com > > > [mailto:vpn-bounces+byazji=psualum.com at lists.shmoo.com]On > > Behalf Of > > Siddhartha Jain > > Sent: Tuesday, October 07, 2003 11:45 AM > > To: VPN at lists.shmoo.com > > Subject: Re: [VPN] IPSEC over UDP or TCP > > > > > > Advantages: Beats ISP blocking of IPSec traffic and > > overcomes NAT difficulties. > > > > Cons: Decreases throughput because you have higher > > overheads. Original packet inside IPSec inside > > TCP/UDP > > packet. > > > > > > > > --- "Shivdasani, Meenoo" > > wrote: > > > I'm interested in people's experiences with > > > > > implementing IPSEC over UDP > > > or TCP. > > > > > > Benefits? Disadvantages? > > > > > > Thanks in advance, > > > > > > M > > > _______________________________________________ > > > VPN mailing list > > > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn > > > > > ______________________________________________________________________ > __ > > Want to chat instantly with your online friends? > > Get the FREE Yahoo! > > Messenger http://mail.messenger.yahoo.co.uk > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn > > > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn > > ______________________________________________________________________ > __ > Want to chat instantly with your online friends? Get the FREE Yahoo! > Messenger http://mail.messenger.yahoo.co.uk > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.0.2 > > iQA/AwUBP4gqRuzo5pjD9SKfEQJXCgCfVYLpdFLgfZaNn1crOiM6R+NzoOgAoJB1 > 2NZTZ9y5qodIVQnJfZPeUgPH > =chEs > -----END PGP SIGNATURE----- > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From shannong at texas.net Wed Oct 15 09:24:30 2003 From: shannong at texas.net (shannong) Date: Wed, 15 Oct 2003 08:24:30 -0500 Subject: [VPN] IPSEC over UDP or TCP In-Reply-To: <1066200618.1212.2.camel@gardafou> Message-ID: <200310151300.h9FD0Eu7014314@ms-smtp-05.texas.rr.com> The idea of tunnel encapsultation is generic. The use of NAT-T, speficicall, is not. It is defined in an IETF draft as noted below and defines UDP port 4500. Most vendors products I have seen follow the NAT-T standard and only provide for the client to select UDP encapsulation and not the port as the port is defined in the standard. TCP is not in the same boat, however, and enjoys the luxury of allowing the port to be defined in the VPN client. The benefits I refer to really have nothing to do with NAT. My point was that creating IPSec tunnels that are encapsulated in TCP and with multiple ports available provides a high degree of success in creating outbound IPSec connections from networks that are filtered and/or authenticated, as is the case in most business environments and even some ISPs. Also, a lot of low end firewalls don't handle UDP "connections" so well, and TCP encapsulated traffic enjoys a higher degree of success here also. Unfortunately, many vendors VPN solutions don't provide for TCP encapsulation as they only implement the NAT-T standard using UDP/4500. Of course, if ISPs are really filtering ESP to prevent IPSec traffic then it's only a matter of time before they filter traffic with source/destination ports UDP4500 as well. More info on the IETF draft for this can be found using the following headers to that standard. IP Security Protocol Working Group (IPSEC) T. Kivinen INTERNET-DRAFT SSH Communications Security draft-ietf-ipsec-nat-t-ike-07.txt B. Swander Expires: 29 March 2004 Microsoft A. Huttunen F-Secure Corporation V. Volpe Cisco Systems 29 Sep 2003 -----Original Message----- From: vpn-bounces+shannong=texas.net at lists.shmoo.com [mailto:vpn-bounces+shannong=texas.net at lists.shmoo.com] On Behalf Of Jean-Francois Dive Sent: Wednesday, October 15, 2003 1:50 AM To: shannong Cc: VPN at lists.shmoo.com Subject: RE: [VPN] IPSEC over UDP or TCP What you define here is a generic tunnel encapsulation which exist in multiple forms. As far as IPSec is concerned, it should not be affected by such environment. NAT-T is designed to cope with nat, punt. If you want to cross a restrictive network, ISP, firewall, then you should use whatever_you_name_it tunnel technology to carry ipsec traffic. On Sat, 2003-10-11 at 18:05, shannong wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Note: NAT-T is a standard and specifies only UDP over port 4500. > Some vendors provide a proprietary method (namely Cisco) for UDP > encapsulation over other defined ports and even with TCP. Most > vendors' VPN clients do not allow the user to define the UDP port for > the connection as the standard says to use 4500. However, some > vendors' VPN clients do allow the configuration of the TCP port. > Additionally, some vendors' VPN terminators (read Cisco)can be > configured to listen on multiple TCP ports simultaneously. > > Therefore, another functional advantage of using TCP encapsulation > instead of NAT-T (read UDP)is that the port for the IPSec connection > can be defined by the client provided the VPN terminating device has > been configured to listen on that TCP port. I find this very useful > as I initiate VPN connections from varied and different networks as > part of my consulting work. Many networks block all traffic except > for "normal" business needs. Some networks allow only 80/443. Some > networks allow 3389 for RDP, and others do not. Therefore, I have a > lot more success with VPN tunnels by providing myself with 5 choices > of TCP ports. I find that networks that are locked down and providing > HTTP access through proxies still frequently allow 443 out without > authentication or filtering due to the obvious added complexity of > handshaking the SSL connection on both sides to look at the traffic > and authenticate it. Therefore, TCP/443 has shown to be the most > successful for me. > > I have also found that unrealiable connections like cable modems that > experience high packet loss cause my TCP-IPSec connections to provide > lower overall peformance due to the obvious problems of two entities > attempting reliable retransmission of lost data and invoking the TCP > slow-down algorithm. This is a casual observance rather than > scientific measurement for which I have no corresponding data. > > > > - -----Original Message----- > From: vpn-bounces+shannong=texas.net at lists.shmoo.com > [mailto:vpn-bounces+shannong=texas.net at lists.shmoo.com] On Behalf Of > Siddhartha Jain > Sent: Friday, October 10, 2003 12:54 PM > To: VPN at lists.shmoo.com > Subject: RE: [VPN] IPSEC over UDP or TCP > > > Thats interesting. I assumed a higher overhead for obvious reasons. > Can you point to any studies or white papers proving that NAT-T > doesn't affect performance?? > > Thanks, > > Siddhartha > > > > --- Bill Yazji wrote: > Quantify your "con" - > significant testing has shown > > this really isn't the > > case.... > > > > ~B > > > > -----Original Message----- > > From: vpn-bounces+byazji=psualum.com at lists.shmoo.com > > > [mailto:vpn-bounces+byazji=psualum.com at lists.shmoo.com]On > > Behalf Of > > Siddhartha Jain > > Sent: Tuesday, October 07, 2003 11:45 AM > > To: VPN at lists.shmoo.com > > Subject: Re: [VPN] IPSEC over UDP or TCP > > > > > > Advantages: Beats ISP blocking of IPSec traffic and overcomes NAT > > difficulties. > > > > Cons: Decreases throughput because you have higher overheads. > > Original packet inside IPSec inside TCP/UDP packet. > > > > > > > > --- "Shivdasani, Meenoo" > > wrote: > > > I'm interested in people's experiences with > > > > > implementing IPSEC over UDP > > > or TCP. > > > > > > Benefits? Disadvantages? > > > > > > Thanks in advance, > > > > > > M > > > _______________________________________________ > > > VPN mailing list > > > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn > > > > > ______________________________________________________________________ > __ > > Want to chat instantly with your online friends? > > Get the FREE Yahoo! > > Messenger http://mail.messenger.yahoo.co.uk > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn > > > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn > > ______________________________________________________________________ > __ > Want to chat instantly with your online friends? Get the FREE Yahoo! > Messenger http://mail.messenger.yahoo.co.uk > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.0.2 > > iQA/AwUBP4gqRuzo5pjD9SKfEQJXCgCfVYLpdFLgfZaNn1crOiM6R+NzoOgAoJB1 > 2NZTZ9y5qodIVQnJfZPeUgPH > =chEs > -----END PGP SIGNATURE----- > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From drewgost at adelphia.net Fri Oct 17 05:43:42 2003 From: drewgost at adelphia.net (Andrew Gostanian) Date: Fri, 17 Oct 2003 05:43:42 -0400 Subject: [VPN] VPN win2003 Message-ID: <000101c39493$2a0acc80$6601a8c0@hawaii> Hi everybody, I have set up a VPN Server ( Win2003), it works fine from inside the company, but when I try to connect to it from the outside, I get a 721 error. It will go as far as checking username and password and then I get the 721. I have PIX firewall and I opened port 1723 and GRE is ok. I tried opening port 500 as well but to no avail. What settings should be opened on the firewall? By the way I am using XP Pro to connect from the outside. Thanks for any support, Drew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031017/c81265ba/attachment.htm From Dan_Vo at diodes.com Fri Oct 17 17:50:33 2003 From: Dan_Vo at diodes.com (Dan_Vo at diodes.com) Date: Fri, 17 Oct 2003 14:50:33 -0700 Subject: [VPN] VPN Netstructure Gateway Log Message-ID: Hi I was wondering if you know how to retrieve the logs for the inbound proxies through the VPN access manager? I haven't had much lucky with locating and review the access logs. If I do a show command on the inbound proxies, I only can see 6 entries and only for that same day. Regards, Dan 805-446-4800 x104 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031017/2b8535a8/attachment.htm From kelly_koons at yahoo.com.sg Sat Oct 18 11:25:44 2003 From: kelly_koons at yahoo.com.sg (=?iso-8859-1?q?Kelly=20Koons?=) Date: Sat, 18 Oct 2003 23:25:44 +0800 (CST) Subject: [VPN] L2L vpn tunnel on vpn-1 --thoughts ? In-Reply-To: <1066200618.1212.2.camel@gardafou> Message-ID: <20031018152544.74143.qmail@web60108.mail.yahoo.com> Hi all I am trying to troubleshooting L2L vpn tunnel on the Checkpoint VPN-1 NG. I am not able to find where I can change the pre-shared keys. Can some guide? Also is there any documentation where I can better understand the phase 1 and phase 2 setting in vpn-1? All your assistance is highly appreciated. Thanks --Kelly The New Yahoo! Search - Now with image search! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031018/a2cf1928/attachment.htm From byazji at psualum.com Mon Oct 20 23:08:24 2003 From: byazji at psualum.com (Bill Yazji) Date: Mon, 20 Oct 2003 22:08:24 -0500 Subject: [VPN] IPSEC over UDP or TCP In-Reply-To: <200310151300.h9FD0Eu7014314@ms-smtp-05.texas.rr.com> Message-ID: With the Nortel Contivity - you can specify any random port. You aren't locked into the "standard" 4500 -----Original Message----- From: vpn-bounces+byazji=psualum.com at lists.shmoo.com [mailto:vpn-bounces+byazji=psualum.com at lists.shmoo.com]On Behalf Of shannong Sent: Wednesday, October 15, 2003 8:25 AM To: jef at linuxbe.org Cc: VPN at lists.shmoo.com Subject: RE: [VPN] IPSEC over UDP or TCP The idea of tunnel encapsultation is generic. The use of NAT-T, speficicall, is not. It is defined in an IETF draft as noted below and defines UDP port 4500. Most vendors products I have seen follow the NAT-T standard and only provide for the client to select UDP encapsulation and not the port as the port is defined in the standard. TCP is not in the same boat, however, and enjoys the luxury of allowing the port to be defined in the VPN client. The benefits I refer to really have nothing to do with NAT. My point was that creating IPSec tunnels that are encapsulated in TCP and with multiple ports available provides a high degree of success in creating outbound IPSec connections from networks that are filtered and/or authenticated, as is the case in most business environments and even some ISPs. Also, a lot of low end firewalls don't handle UDP "connections" so well, and TCP encapsulated traffic enjoys a higher degree of success here also. Unfortunately, many vendors VPN solutions don't provide for TCP encapsulation as they only implement the NAT-T standard using UDP/4500. Of course, if ISPs are really filtering ESP to prevent IPSec traffic then it's only a matter of time before they filter traffic with source/destination ports UDP4500 as well. More info on the IETF draft for this can be found using the following headers to that standard. IP Security Protocol Working Group (IPSEC) T. Kivinen INTERNET-DRAFT SSH Communications Security draft-ietf-ipsec-nat-t-ike-07.txt B. Swander Expires: 29 March 2004 Microsoft A. Huttunen F-Secure Corporation V. Volpe Cisco Systems 29 Sep 2003 -----Original Message----- From: vpn-bounces+shannong=texas.net at lists.shmoo.com [mailto:vpn-bounces+shannong=texas.net at lists.shmoo.com] On Behalf Of Jean-Francois Dive Sent: Wednesday, October 15, 2003 1:50 AM To: shannong Cc: VPN at lists.shmoo.com Subject: RE: [VPN] IPSEC over UDP or TCP What you define here is a generic tunnel encapsulation which exist in multiple forms. As far as IPSec is concerned, it should not be affected by such environment. NAT-T is designed to cope with nat, punt. If you want to cross a restrictive network, ISP, firewall, then you should use whatever_you_name_it tunnel technology to carry ipsec traffic. On Sat, 2003-10-11 at 18:05, shannong wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Note: NAT-T is a standard and specifies only UDP over port 4500. > Some vendors provide a proprietary method (namely Cisco) for UDP > encapsulation over other defined ports and even with TCP. Most > vendors' VPN clients do not allow the user to define the UDP port for > the connection as the standard says to use 4500. However, some > vendors' VPN clients do allow the configuration of the TCP port. > Additionally, some vendors' VPN terminators (read Cisco)can be > configured to listen on multiple TCP ports simultaneously. > > Therefore, another functional advantage of using TCP encapsulation > instead of NAT-T (read UDP)is that the port for the IPSec connection > can be defined by the client provided the VPN terminating device has > been configured to listen on that TCP port. I find this very useful > as I initiate VPN connections from varied and different networks as > part of my consulting work. Many networks block all traffic except > for "normal" business needs. Some networks allow only 80/443. Some > networks allow 3389 for RDP, and others do not. Therefore, I have a > lot more success with VPN tunnels by providing myself with 5 choices > of TCP ports. I find that networks that are locked down and providing > HTTP access through proxies still frequently allow 443 out without > authentication or filtering due to the obvious added complexity of > handshaking the SSL connection on both sides to look at the traffic > and authenticate it. Therefore, TCP/443 has shown to be the most > successful for me. > > I have also found that unrealiable connections like cable modems that > experience high packet loss cause my TCP-IPSec connections to provide > lower overall peformance due to the obvious problems of two entities > attempting reliable retransmission of lost data and invoking the TCP > slow-down algorithm. This is a casual observance rather than > scientific measurement for which I have no corresponding data. > > > > - -----Original Message----- > From: vpn-bounces+shannong=texas.net at lists.shmoo.com > [mailto:vpn-bounces+shannong=texas.net at lists.shmoo.com] On Behalf Of > Siddhartha Jain > Sent: Friday, October 10, 2003 12:54 PM > To: VPN at lists.shmoo.com > Subject: RE: [VPN] IPSEC over UDP or TCP > > > Thats interesting. I assumed a higher overhead for obvious reasons. > Can you point to any studies or white papers proving that NAT-T > doesn't affect performance?? > > Thanks, > > Siddhartha > > > > --- Bill Yazji wrote: > Quantify your "con" - > significant testing has shown > > this really isn't the > > case.... > > > > ~B > > > > -----Original Message----- > > From: vpn-bounces+byazji=psualum.com at lists.shmoo.com > > > [mailto:vpn-bounces+byazji=psualum.com at lists.shmoo.com]On > > Behalf Of > > Siddhartha Jain > > Sent: Tuesday, October 07, 2003 11:45 AM > > To: VPN at lists.shmoo.com > > Subject: Re: [VPN] IPSEC over UDP or TCP > > > > > > Advantages: Beats ISP blocking of IPSec traffic and overcomes NAT > > difficulties. > > > > Cons: Decreases throughput because you have higher overheads. > > Original packet inside IPSec inside TCP/UDP packet. > > > > > > > > --- "Shivdasani, Meenoo" > > wrote: > > > I'm interested in people's experiences with > > > > > implementing IPSEC over UDP > > > or TCP. > > > > > > Benefits? Disadvantages? > > > > > > Thanks in advance, > > > > > > M > > > _______________________________________________ > > > VPN mailing list > > > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn > > > > > ______________________________________________________________________ > __ > > Want to chat instantly with your online friends? > > Get the FREE Yahoo! > > Messenger http://mail.messenger.yahoo.co.uk > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn > > > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn > > ______________________________________________________________________ > __ > Want to chat instantly with your online friends? Get the FREE Yahoo! > Messenger http://mail.messenger.yahoo.co.uk > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.0.2 > > iQA/AwUBP4gqRuzo5pjD9SKfEQJXCgCfVYLpdFLgfZaNn1crOiM6R+NzoOgAoJB1 > 2NZTZ9y5qodIVQnJfZPeUgPH > =chEs > -----END PGP SIGNATURE----- > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From losttoy2000 at yahoo.co.uk Tue Oct 21 01:33:50 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Tue, 21 Oct 2003 06:33:50 +0100 (BST) Subject: [VPN] VPN win2003 In-Reply-To: <000101c39493$2a0acc80$6601a8c0@hawaii> Message-ID: <20031021053350.94973.qmail@web25110.mail.ukl.yahoo.com> I am assuming you have configured the Win2003 server for IPSec VPN. You need to open up IP protocols ESP and AH, they are protocol numbers 50 and 51 respectively. Also port UDP 500 for IKE. access-list inbound permit esp any host x.x.x.x access-list inbound permit ah any host x.x.x.x access-list inbound permit udp any host x.x.x.x eq isakmp where x.x.x.x is your Win2003 server IP. But this is assuming you are not NAT-ing the Win2003 server IP address. Why do you need to allow 1723 and GRE, btw?? HTH, Siddhartha --- Andrew Gostanian wrote: > Hi everybody, > > I have set up a VPN Server ( Win2003), it works fine > from inside the > company, but when I try to connect to it from the > outside, I get a 721 > error. > > It will go as far as checking username and password > and then I get the 721. > I have PIX firewall and I opened port 1723 and GRE > is ok. I tried opening > port 500 as well but to no avail. > > What settings should be opened on the firewall? By > the way I am using XP Pro > to connect from the outside. > > Thanks for any support, > > Drew > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk From losttoy2000 at yahoo.co.uk Tue Oct 21 01:38:10 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Tue, 21 Oct 2003 06:38:10 +0100 (BST) Subject: [VPN] L2L vpn tunnel on vpn-1 --thoughts ? In-Reply-To: <20031018152544.74143.qmail@web60108.mail.yahoo.com> Message-ID: <20031021053810.22594.qmail@web25106.mail.ukl.yahoo.com> Am not at work right now so can't check the exact menus but if memory serves me right, you can change the pre-shared key when you define a peer, in the peer properties. If you are talking to a non-CP peer, you need to define an "Interoperable device", then in the VPN tab under the peer's properties, you should be able to change the pre-shared key. Also, if you have upgraded from CP NG 4.1 to AI, then you need to migrate vpn policies. Lookup, the file called vpn-1.pdf in the documentation. HTH, Siddhartha --- Kelly Koons wrote: > > Hi all > > I am trying to troubleshooting L2L vpn tunnel on the > Checkpoint VPN-1 NG. I am not able to find where I > can change the pre-shared keys. Can some guide? > > Also is there any documentation where I can better > understand the phase 1 and phase 2 setting in vpn-1? > > > > > All your assistance is highly appreciated. > > > > Thanks > > --Kelly > > > The New Yahoo! Search > - Now with image search!> _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk From secbyte at squarework.com Tue Oct 21 08:09:15 2003 From: secbyte at squarework.com (George Mason) Date: Tue, 21 Oct 2003 08:09:15 -0400 Subject: [VPN] Netopia In-Reply-To: References: Message-ID: <3F9521EB.6090906@squarework.com> Greetings, Can anybody give me step by step instructions on configuring a Netopia 3346 Router for VPN. We have purchased the key and I can telnet into it and ip into it. but they don't seem to include instructions, and Netopia wants to charge big money for telling us how it works. As a second question, when I telnet into the router, I don't get the screen they show on their internet web page, Do I have to configure telnet? and how? George From losttoy2000 at yahoo.co.uk Tue Oct 21 12:19:04 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Tue, 21 Oct 2003 17:19:04 +0100 (BST) Subject: [VPN] Netopia In-Reply-To: <3F9521EB.6090906@squarework.com> Message-ID: <20031021161904.41391.qmail@web25103.mail.ukl.yahoo.com> Go buy Cisco or some other brand that has nice and free documentation online. Seriously, I've seen lot of customers in pain bcoz the products they bought lack proper documentation. --- George Mason wrote: > Greetings, > > Can anybody give me step by step instructions on > configuring a Netopia > 3346 Router for VPN. We have purchased the key and > I can telnet into it > and ip into it. but they don't seem to include > instructions, and Netopia > wants to charge big money for telling us how it > works. > > As a second question, when I telnet into the router, > I don't get the > screen they show on their internet web page, Do I > have to configure > telnet? and how? > > George > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk From mark at yarian.com Tue Oct 21 14:18:19 2003 From: mark at yarian.com (Mark) Date: Tue, 21 Oct 2003 14:18:19 -0400 Subject: [VPN] Primers or Whitepapers Message-ID: <001301c397ff$b4fb0430$7b01a8c0@sunsetlending.com> Greetings all. I've been reading this digest for a few weeks now. Is it possible to get a website or address of some good sites for researching VPN? I've set up small ones for my company, but we plan to implement a large scale installment. I would like to brush up on everything. The install will be primarily Windows based. _____ Attend our 2nd Annual Christmas Party on December 6th 2003 @ 6:30PM Thanks for your time, Mark Yarian mark.yarian at sunsetlending.com mark at yarian.com Americorp Credit Corporation If you have any questions, please call 724-347-4867 x410 _____ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031021/1a06a2a3/attachment.htm From mzimmerman at icsalabs.com Tue Oct 21 15:19:11 2003 From: mzimmerman at icsalabs.com (Zimmerman, Mark) Date: Tue, 21 Oct 2003 15:19:11 -0400 Subject: [VPN] L2L vpn tunnel on vpn-1 --thoughts ? Message-ID: Kelly, One of the Senior Analysts at ICSA Labs has written a whitepaper detailing typical configuration and function of VPN devices. I think it would be very beneficial for you. http://www.icsalabs.com/html/communities/ipsec/IPsec_Technical_Config_Guidel ines.pdf Regards P.S We're actually coming out with a Troubleshooting Guide at the end of this month. -----Original Message----- From: Kelly Koons [mailto:kelly_koons at yahoo.com.sg] Sent: Saturday, October 18, 2003 11:26 AM To: VPN at lists.shmoo.com Subject: [VPN] L2L vpn tunnel on vpn-1 --thoughts ? Hi all I am trying to troubleshooting L2L vpn tunnel on the Checkpoint VPN-1 NG. I am not able to find where I can change the pre-shared keys. Can some guide? Also is there any documentation where I can better understand the phase 1 and phase 2 setting in vpn-1? All your assistance is highly appreciated. Thanks --Kelly The New Yahoo! Search - Now with image search ! *********************************************************************** This message is intended only for the use of the intended recipient and may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately. *********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031021/41443d14/attachment.htm From JohnC at hcarr.com Thu Oct 23 10:15:55 2003 From: JohnC at hcarr.com (John Clark) Date: Thu, 23 Oct 2003 10:15:55 -0400 Subject: [VPN] Netopia Message-ID: Have you tried this website yet? http://www.netopia.com/en-us/support/technotes/hardware/r_series/index.h tml#technotes This should help you out. -----Original Message----- From: George Mason [mailto:secbyte at squarework.com] Sent: Tuesday, October 21, 2003 8:09 AM Cc: vpn at lists.shmoo.com Subject: [VPN] Netopia Greetings, Can anybody give me step by step instructions on configuring a Netopia 3346 Router for VPN. We have purchased the key and I can telnet into it and ip into it. but they don't seem to include instructions, and Netopia wants to charge big money for telling us how it works. As a second question, when I telnet into the router, I don't get the screen they show on their internet web page, Do I have to configure telnet? and how? George _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From TSimons at Delphi-Tech.com Thu Oct 23 23:19:23 2003 From: TSimons at Delphi-Tech.com (TSimons at Delphi-Tech.com) Date: Thu, 23 Oct 2003 23:19:23 -0400 Subject: [VPN] Linksys BEFVP41 Firmware v1.41.1 Message-ID: <880E60DA7286AB4CBEECB01B169A63BD0F69BC78@NJ-2K-Email1.delphi-tech.com> Hello All Just wanted to pass along that Linksys has released v1.41.1 for the Linksys BEFVP41. Its not in the release notes, but it appears that they've fixed the "advanced" VPN page. ...those of you running multiple VPN tunnels know what I'm talking about. http://www.linksys.com/download/firmware.asp?fwid=158 It also has support for SNMP and you can run MRTG against it. So far I've successfully used the BEFVP41 in S2S VPN setups with: -SEF 7.0 -VR 1.5 1100 -SFVA 200R I haven't had time to try aggressive setups yet... Hope this helps... ~Todd __________________________________ Todd M. Simons Senior MIS Engineer Dell Tier 1 PA Technician Delphi Technology, Inc. New Brunswick, NJ Note: The contents of this email do not constitute a legally binding commitment. From filippo.carzaniga at query.it Fri Oct 24 11:38:36 2003 From: filippo.carzaniga at query.it (Filippo Carzaniga) Date: Fri, 24 Oct 2003 17:38:36 +0200 Subject: [VPN] vpn problem cisco & watchguard Message-ID: <63F2BE247C6A7C43A608652A32C1D3B8049997@qs011.query.local> > I have a problem with a cisco router ed Watchguard firewall. > Sometime the tunnel ipsec dropped. > the logs on the router is that: > %CRYPTO-4-IKMP_PKT_OVERFLOW : ISAKMP message from [IP_address] larger ([dec]) than the UDP packet length ([dec]) > Explanation ISAKMP messages are carried in UDP packets and have their own message length field. The message length field of this message was greater than the length of the UDP packet. This situation could indicate a denial-of-service attack. > Recommended Action Contact the remote peer and the administrator of the remote peer. > > the remote watchguard 700/III release 7.0 sp1 seem not have a problem. > the cisco si that: > System image file is "flash:c837-k9o3y6-mz.122-13.ZH2.bin" > CISCO C837 (MPC857DSL) processor (revision 0x400) with 29492K/3276K bytes of memory. > > Please let me > know this as soon as possible. > > Thanks in advance. > > > > From humphrie at wfubmc.edu Fri Oct 24 15:01:04 2003 From: humphrie at wfubmc.edu (Tait Humphries) Date: Fri, 24 Oct 2003 15:01:04 -0400 Subject: [VPN] Windows 2003 VPN Message-ID: Does anyone have experience using the VPN offered through Windows 2003? We currently have Nortel VPN (IPSec) but we are wanting to check the remote PCs anti-virus, patch level... I know there are ways to do this via our Nortel solution but I have been asked to research the possibility via 2003 - there appears to be a way to do this in 2003 "Network Access Quarantine Control" - Do you have any recommendations on this OR on using Windows as your VPN server in general? I have reservations about relying on Microsoft for VPN security - (maybe I'm just paranoid - if not please include URL links to facts about any real concerns with the way Windows VPN). - I seem to recall an issue with their IPSec DES Thanks, Tait Humphries -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031024/75dfcd42/attachment.htm From bjaber at ipass.com Mon Oct 27 11:11:34 2003 From: bjaber at ipass.com (Basim Jaber) Date: Mon, 27 Oct 2003 08:11:34 -0800 Subject: [VPN] Windows 2003 VPN Message-ID: Tait, The Windows Server 2003 "Network Access Quarantine" feature is documted in full at the following URL: http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx Be forewarned, however, that is requires a moderate to complex level of scripting (depending on what you want to check for on the client PC). It also involves setting up appropriate remediation services (i.e. web server for patch/software downloads, IAS 2003 (RADIUS), RRAS for Win2003, etc. The Nortel Contivity VPN "TunnelGuard" feauture can do pretty much the same, but does not involve scripting to the level of complexity (or at all, I believe) as the Win2003 solution. Lastly, please note that if you already have clients out there with Nortel Contivity VPN Clients deployed and you want to end up using the Win2003 IPSec/LT2P VPN, then you have to uninstall the Nortel client as the IPSec policy agent is disabled on the Nortel VPN Client. If you use PPTP with Win2003 RRAS, then you are downgrading in security (IPSec --> PPTP). Not wise. My suggestion, stay with Nortel and use TunnelGuard. --Basim _____ Basim S. Jaber Senior Systems Engineer Field Sales - Americas iPass, Inc. bjaber at iPass.com (650) 232-4311 _____ From: Tait Humphries [mailto:humphrie at wfubmc.edu] Sent: Friday, October 24, 2003 12:01 PM To: vpn at lists.shmoo.com Subject: [VPN] Windows 2003 VPN Does anyone have experience using the VPN offered through Windows 2003? We currently have Nortel VPN (IPSec) but we are wanting to check the remote PCs anti-virus, patch level... I know there are ways to do this via our Nortel solution but I have been asked to research the possibility via 2003 - there appears to be a way to do this in 2003 "Network Access Quarantine Control" - Do you have any recommendations on this OR on using Windows as your VPN server in general? I have reservations about relying on Microsoft for VPN security - (maybe I'm just paranoid - if not please include URL links to facts about any real concerns with the way Windows VPN). - I seem to recall an issue with their IPSec DES Thanks, Tait Humphries -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031027/5404c6a1/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3732 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20031027/5404c6a1/attachment.bin From lschwartz at micromuse.com Tue Oct 28 00:58:21 2003 From: lschwartz at micromuse.com (Lonny Schwartz) Date: Mon, 27 Oct 2003 21:58:21 -0800 Subject: [VPN] odd VPN3005 behavior Message-ID: Greetings, I've got a Cisco VPN 3005 running 4.0.3 code. It has an odd problem that the public interface will stop responding every few hours. If I check on the interface status it says it's up but won't ping in or out. If disable/enable the interface it comes back up. Any ideas on what could be causing this? Anything on the config side I'm totally missing or perhaps an actual hardware issue that needs to be addressed? Thanks for any help! Lonny From laneille at jrossi.demon.co.uk Wed Oct 29 06:35:03 2003 From: laneille at jrossi.demon.co.uk (Laneille&Joe) Date: Wed, 29 Oct 2003 11:35:03 -0000 Subject: [VPN] Pix to Pix VPN Question Message-ID: <000501c39e10$b2834ac0$0a01a8c0@joehome> Hi Ok where to start. We have three corporate network sites all connected using Pix 515's via a VPN. I have had no problems getting all this working for example I can ping the inside zone of network B from the inside zone in network A. Within network A I have an Internal zone 192.168.1.0 and a Webzone 192.168.2.0 and within network B I have an Internal zone 192.168.10.0 and a Webzone 192.168.11.0. I am as stated above able to connect from 192.168.1.0 to 192.168.10.0 via the usual crypto map setup. What I would like to do is connect from Network A 192.168.1.0 (Internal) to Network B 192.168.11.0 (Webzone). I have not been able to get this working. Please let me know if you have any ideas. Regards Joe Rossi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031029/3736f1c5/attachment.htm From Andrew.Prince at TrinitySecurity.com Thu Oct 30 16:45:34 2003 From: Andrew.Prince at TrinitySecurity.com (Andrew Prince) Date: Thu, 30 Oct 2003 21:45:34 -0000 Subject: [VPN] Pix to Pix VPN Question In-Reply-To: <000501c39e10$b2834ac0$0a01a8c0@joehome> Message-ID: <000501c39f2f$2648cb50$0501a8c0@007> If your encryption domains are correct (as it sounds) I would suggest to look at your access lists. You are trying to access a less trusted interface on network B?? Also what interfaces are you terminating your VPN's on???? If you are terminating in the inside interface - this can cause issues. -----Original Message----- From: vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com [mailto:vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com] On Behalf Of Laneille&Joe Sent: 29 October 2003 11:35 To: vpn at lists.shmoo.com Subject: [VPN] Pix to Pix VPN Question Hi Ok where to start. We have three corporate network sites all connected using Pix 515's via a VPN. I have had no problems getting all this working for example I can ping the inside zone of network B from the inside zone in network A. Within network A I have an Internal zone 192.168.1.0 and a Webzone 192.168.2.0 and within network B I have an Internal zone 192.168.10.0 and a Webzone 192.168.11.0. I am as stated above able to connect from 192.168.1.0 to 192.168.10.0 via the usual crypto map setup. What I would like to do is connect from Network A 192.168.1.0 (Internal) to Network B 192.168.11.0 (Webzone). I have not been able to get this working. Please let me know if you have any ideas. Regards Joe Rossi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20031030/6fb7a635/attachment.htm From mwang at cs.stanford.edu Fri Oct 31 00:30:21 2003 From: mwang at cs.stanford.edu (Mark Wang) Date: Thu, 30 Oct 2003 23:30:21 -0600 Subject: [VPN] Full tunnel VPN possible with "home" VPN routers? Message-ID: <1067578221.3fa1f36da604f@www.markwang.com> Hi all, I'm considering setting up a VPN server on my home DSL connection, where I can use a VPN client and have all my Internet traffic appear to come from my home DSL IP, rather than whatever IP I'm using now. I surf a lot from public wireless access points, and I would like a secure layer of encryption. Also, I travel a lot in China and other places where they censor Western sites or allegedly snoop on traffic, and I'd like to bypass/encrypt everything for security as well. Therefore, I need a "full-tunnel" connection, where ALL traffic is tunneled through the VPN, not just those for my private home subnet. Because it's just for my personal use, I don't want to spend thousands of dollars. So I'm thinking about getting a "home" router with VPN capability, like Netgear FVS318NA, Linksys BEFVP41, or similar and I'm wondering if they support the full-tunnel mode of operation. I would be using the router as a VPN server, not client. They advertise the VPN capability, but I'm not sure if it's "split tunnel" only for the private home subnet, or if it's "full tunnel" for all addresses. Thanks! -- Mark From jef at linuxbe.org Fri Oct 31 04:24:13 2003 From: jef at linuxbe.org (Jean-Francois Dive) Date: Fri, 31 Oct 2003 10:24:13 +0100 Subject: [VPN] Pix to Pix VPN Question In-Reply-To: <000501c39e10$b2834ac0$0a01a8c0@joehome> References: <000501c39e10$b2834ac0$0a01a8c0@joehome> Message-ID: <1067592253.2367.12.camel@gardafou> when setting up the access-list to specify the phase 2 selectors (proxy identities in cisco terms), you need to specify all possible traffic that need to go across the tunnel(s). For exemple: A ----------- B net1 net10 net2 net20 you need to speficy the following access-list on A: permit net1-net10 permit net1-net20 permit net2-net10 permit net2-net20 and reversed on B You can already see that network summarisation and vlsm is usefull to setup those entries. Finally, if you have a lot of network like that, it may be interesting to use GRE based ipsec tunnels and let the firewall do the policy for traffic filtering (i dunno though if the PIX support GRE. (transport mode ipsec protected GRE traffic) hope this help, J. On Wed, 2003-10-29 at 12:35, Laneille&Joe wrote: > Hi > > > > Ok where to start. We have three corporate network sites all connected > using Pix 515?s via a VPN. I have had no problems getting all this > working for example I can ping the inside zone of network B from the > inside zone in network A. Within network A I have an Internal zone > 192.168.1.0 and a Webzone 192.168.2.0 and within network B I have an > Internal zone 192.168.10.0 and a Webzone 192.168.11.0. I am as stated > above able to connect from 192.168.1.0 to 192.168.10.0 via the usual > crypto map setup. > > > > What I would like to do is connect from Network A 192.168.1.0 > (Internal) to Network B 192.168.11.0 (Webzone). I have not been able > to get this working. > > > > Please let me know if you have any ideas. > > > > Regards > > Joe Rossi > > > > ______________________________________________________________________ > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From piranhabros at yahoo.com Fri Oct 31 16:19:17 2003 From: piranhabros at yahoo.com (Michael Batchelder) Date: Fri, 31 Oct 2003 13:19:17 -0800 (PST) Subject: [VPN] Re: Pix to Pix VPN Question In-Reply-To: <20031031190005.D5F90157C2@mail.iocaine.com> Message-ID: <20031031211917.77673.qmail@web13806.mail.yahoo.com> > Message: 1 > Date: Wed, 29 Oct 2003 11:35:03 -0000 > From: "Laneille&Joe" > Subject: [VPN] Pix to Pix VPN Question > To: > Message-ID: <000501c39e10$b2834ac0$0a01a8c0 at joehome> > Content-Type: text/plain; charset="us-ascii" > > Hi > > Ok where to start. Posting the configs of the two PIXen in question would make answering your question much easier. You can scrub external IP addresses and anything else you don't wish to publicly announce. Possibly your problem is with NAT. A quick way to see if your VPN isn't working because of NAT is to add the following command in both pixen: sysopt ipsec pl-compatible and see if everything starts magically works... If that's the case, you should 1) take out that command and 2) make the correct "nat 0 access-list" statements. Then don't forget to clear xlate, and life should be good. Binky __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/