From losttoy2000 at yahoo.co.uk Mon Sep 1 12:36:25 2003 From: losttoy2000 at yahoo.co.uk (Siddhartha Jain) Date: Mon, 1 Sep 2003 20:36:25 +0400 Subject: [VPN] Cryptocard [Off-topic] References: <20030829063401.93961.qmail@web21402.mail.yahoo.com> <01L03X8HPPGQ9WHGHB@Opus1.COM> <004a01c36ff0$c3c41e70$131348d4@bankon9otw2dox> <200308312017.42711.travis@traviswatson.com> Message-ID: <000601c370a7$40f14970$351448d4@bankon9otw2dox> I'll try to point out answers to some issues you've raised. However, that doesn't mean that I opine PKI roll-outs are smooth :) > > --The obvious, you need a PKI. Yes, but PKI can be used to secure other apps in the environment that support SSL. You may have Oracle client-server app in which case you can turn on SSL and use the same token for auth. Same goes for any client-server app that allows SSL and I think most widely used apps, today, support SSL. To my mind, this gives a virtual SSO solution. > --Who maintains it, who administers it, who pays for it (not too cheap), what > product do you go with/do you build your own, is it going to be public > facing, does it need to be audited, do you need special facilities for it, > and on and on.... Definitely, some thought needs to go into deploying PKI. However, some needs to maintain, administer and pay for that Keon server and those keyfobs too :) I believe the same guys would foot the bill for PKI too. > --How do you distribute certificates to Joe User without making his eyes glaze > over with intructions (usually anything beyond 5 steps is deemed painful) I used iPlanet web-based certificate enrollment long time back. And used MS Cert server recently. Though, I am no fan of MS, but the cert enrollment was pretty easy. The user is provided with very choices thus minimizing the chances of the user screwing up something. > *and* make sure it's Joe and Joe alone that gets the cert? True, the basis for enrollment is again good ol' username and password. But if you allowed the initial enrollment process in a controlled environment (from the corporate network only or some other mechanism could be thought of since its a one-time procedure) > --How are revokations and recoveries handled and who does it (and who is/are > his backup(s))? Revocations - If a user leaves the org, the HR drone deletes him from the corporate directory thus revoking his/her cert too. Or if the user sends an alert saying they've lost the token, the certserv admin can revoke the cert. Recovery - MS Cert serv shows an option for a recovery agent. The cert admin should do the recovery and his backup could be other people in the security team. I don't think recovery is a technical problem. > --Who handles the physical USB token part and who handles the cert part (ie, > what happens when a user leaves it in the washing machine or loses it at a > hotel)? The user calls/mails and informs of the loss. Cert admin revokes cert. The cert and token, both, are now unusable. > --Related to the above, how do you protect a stolen/lost USB token with a > valid cert on it? A token (to the best of my knowledge) cannot be tampered with. So you can't crack it and get the private keys out of it. Besides, a lost token wouldn't be usable because the thief still needs the PIN number protecting the private keys. > If user/pass, what protocol and authentication backend do > you use? If token based--why not just use the token to begin with? If you > choose NTLM, what about people that don't log on the NT domain(s)? If you > choose LDAP, (1) do you have a solid, central LDAP and (2) how do you publish > the cert, what field name do you give it, what encoding do you use, etc.? I configured it for VPN 3000 about a year back for a client. The box was configured for certificate authentication, so no other authentication protocol comes into picture. Later, we added user/pass auth also for additional protection. > --What about the people who are stuck with NT 4.0 and can't use USB tokens--do > you force an upgrade to W2K or XP? What about those that insist on using > their SUN Sparc workstation because their core apps depend on it? True. Nothing much you can do about that. > --Can the apps that you want a cert for handle certs to begin with? (radius > support is much more common than PKI support). Yes, if the app can support SSL. Or can be tunneled through an SSL-lizing app. Ofcourse, RADIUS is much more supported. > It goes on and on--believe me--and maybe you've experienced much of the above > yourself. PKI is oftentimes the most administratively frustrating > application of all. It's a shame, really, because it's quite simple in it's > essence, but the real world problems can be daunting, to say the least. > Adding to the above, PKI certificates seem to have this mysterious quality to > them that even many IT professionals just refuse to grasp. You try to tell > them that "it's a 4K file that doesn't want to hurt you", but they just can't > understand it, for whatever reason. This makes PKI the target of anything > that goes wrong--page won't load, PKI; user can't get in via VPN, PKI; user > can't get on to the NT domain, PKI; user's car batterey goes dead, PKI. > Sorry, now I'm venting... Anyway... > As much as I like PKI and USB tokens, I have to give warning that it can sound > much, much simpler than it really is. But, in truth, I've always worked for > very big organizations that, from an IT perspective, are more like 100s of > small companies that all have the same name. If you don't face the > aforementioned potential problems, then maybe you have a good chance of > pulling it off--I just haven't been so lucky. I agree that rolling out PKI is not an out-of-the-box solution as many vendors like to present it but I think we need to push it to customers. The more it is deployed, the more vendors will be forced to smoothen the rough edges and make it easier for orgs to deploy it. Unless this happens, the PKI solutions won't mature. Siddhartha > > --Willie > > > > On Sunday 31 August 2003 11:50 am, Siddhartha Jain wrote: > > Hello People!!! > > > > Do you think certificate storing USB tokens like Rainbow or Alladin would > > be safer? and better too. For one, you don't need a centralised server and > > the use of certificates offers better security than regular two factor > > tokens? > > > > > > Siddhartha - Muscat 23.36N 58.38E > > > > ----- Original Message ----- > > From: "Joel M Snyder" > > To: "Travis Watson" > > Cc: ; "Rudi Pierquin" > > Sent: Sunday, August 31, 2003 9:34 PM > > Subject: Re: [VPN] Cryptocard > > > > > >I don't know if cryptocard is > > > >peer-to-peer or master-slave (Joel, can you answer > > > >this for us, please?), but I would be nervous about a > > > >master-slave setup if that's what it is. > > > > > > Yes, CryptoCard has the same style as Safeword---centralized knowledge, > > > > but > > > > > distributed knowledge. In fact, I have had good experiences with > > > Safeword > > > > as > > > > > well in recent years (got a pile of tokens in front of me as I speak), > > > but never used them in production because they don't support OpenVMS as a > > > > server. > > > > > There is a human-factors issue with distributed servers and CryptoCard. > > > CryptoCard is often used in "reduced input" mode, which means that the > > > > server > > > > > keeps some state between queries; it lets the user avoid putting in the > > > challenge if you (the network manager) don't want to require it. In > > > > essence, > > > > > in reduced input mode, the token & the server kind of agree on what the > > > challenge will be the next time, and the token shows it---if the server > > > > asks > > > > > for the same challenge that the token is giving, then the user just > > > > presses > > > > > ENTER instead of putting in the challenge. (for those of you who care, > > > > the > > > > > next challenge is based on additional bits out of the encryption that the > > > CryptoCard does but which are not displayed, so it is under control of > > > the server, not some synchronized algorithm like SecurID uses.) > > > > > > If you flop around between servers, then you can't use reduced input (or, > > > > more > > > > > precisely, the user will perceive that they always have to enter the > > > challenge), so most people who use CryptoCard tend to have multiple > > > > servers, > > > > > but the servers are ordered (i.e., failover, not active load sharing) so > > > > that > > > > > the same card tends to hit the same server all the time. That doesn't > > > > mean you > > > > > can't load balance them across regions, just that your users will be > > > > happier if > > > > > you don't. > > > > > > So that's a long answer to the question. The short answer is "yes, you > > > > can > > > > > have lots of servers." It's just that when you set it up, you need to be > > > cognizant of the human interface issues related to the product as well as > > > > the > > > > > IT reliability issues. > > > > > > But I would agree with Willie 100%: I like the idea that I don't have a > > > > single > > > > > server which has the "core knowledge;" I can distribute the knowledge > > > > around by > > > > > sharing the token's secret among a bunch of different servers using > > > > CryptoCard > > > > > and that makes it more attractive to me. > > > > > > jms > > > > > > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 > > > Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) > > > jms at Opus1.COM http://www.opus1.com/jms Opus One > > > _______________________________________________ > > > VPN mailing list > > > VPN at lists.shmoo.com > > > http://lists.shmoo.com/mailman/listinfo/vpn > > > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn From losttoy2000 at yahoo.co.uk Mon Sep 1 12:49:16 2003 From: losttoy2000 at yahoo.co.uk (Siddhartha Jain) Date: Mon, 1 Sep 2003 20:49:16 +0400 Subject: [VPN] ipsec and nat References: <000c01c36e60$8e9b8b20$3200a8c0@gandalf> Message-ID: <003d01c370a9$11603ed0$351448d4@bankon9otw2dox> Check for NAT support in FreeSWAN. IPSec usually does not work from behind a NAT because NAT fudges the packet headers while IPSec checks the packet headers for integrity. But IPSec product vendors support IPSec over NAT using TCP/UDP to carry IPSec traffic. You could also look for an out of the box solution like a low-end PIX, Sonicwall or some other IPSec appliance. I am sure it would work out cheaper than the cost of the Linux server on which you plan to run FreeSWAN unless you are using some old PC (which IMHO is fine for FreeSWAN use) for that. >From the FreeSWAN FAQ: Does FreeS/WAN support NAT traversal? Vanilla FreeS/WAN does not, but thanks to Mathieu Lafon and Arkoon Network Security, there's a patch to support this. a.. patch and documentation b.. Super FreeS/WAN incorporates this and other user-contributed patches. The NAT traversal patch has some issues with PSKs, so you may wish to authenticate with RSA keys, or X.509 (requires a patch which is also included in Super FreeS/WAN). Doing the latter also has advantages when dealing with large numbers of clients who may be behind NAT; instead of having to make an individual Roadwarrior connection for each virtual IP, you can use the "rightsubnetwithin" parameter to specify a range. See these rightsubnetwithin instructions. HTH, Siddhartha - Muscat 23.36N 58.38E ----- Original Message ----- From: freeswan To: vpn at lists.shmoo.com Sent: Friday, August 29, 2003 11:05 PM Subject: [VPN] ipsec and nat Hi everyone! I have a little problem that I would need some help with. I wan?t to be able to setup the following. At the office in London we wan?t to install a super freeswan VPN gateway. Users at the office in Stockholm wan?t access to London via the VPN gateway. In Stockholm we don't have a VPN gateway, and we don?t wan?t one. We have a natted network with 3 client computers. And those 3 are running Windows XP and are going to have certificates installed issued by the London VPN gateway. We wan?t to be able to have all three clients simultaneously connected to London. And this is the part im not sure how to setup. So do anybody know how to connect these computers? Help is appreciated. Regards, Daniel ------------------------------------------------------------------------------ _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030901/a50a4fb7/attachment.htm From jammer20002 at yahoo.co.uk Mon Sep 8 10:33:33 2003 From: jammer20002 at yahoo.co.uk (=?iso-8859-1?q?Jammer?=) Date: Mon, 8 Sep 2003 15:33:33 +0100 (BST) Subject: [VPN] VPN's: where do I get started? Message-ID: <20030908143333.81854.qmail@web21413.mail.yahoo.com> I need to setup a VPN. Where do I get started. I know nothing about VPN's - I've read about what they are, but know nothing else. Where do I start? Are there any websites that I should visit? What book would be recommended? What OS should I go for? WIndows? Unix? I've been told go for Unix becuase then you don't have to pay for the licenses. But, with Windows, surely I'll be able to get more help easily becuase mroe people use it? ANY help would be appreciated. Thanks. Jam ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk From kelly_koons at yahoo.com.sg Mon Sep 8 21:14:14 2003 From: kelly_koons at yahoo.com.sg (=?iso-8859-1?q?Kelly=20Koons?=) Date: Tue, 9 Sep 2003 09:14:14 +0800 (CST) Subject: [VPN] Nortel Contivity box - In-Reply-To: <20030908143333.81854.qmail@web21413.mail.yahoo.com> Message-ID: <20030909011414.248.qmail@web60106.mail.yahoo.com> List, I am using nortel contivity 4500 for providing the vpn to my 100 users. I have a block of /24 pool where all the user get ip assigned when they get connected. Is there any way I can assigned a fix ip in that pool for any user ? that particular user want to make some auto process and for this he needs fix ip address .......... any helps ? Thanks Kelly - Jammer wrote: I need to setup a VPN. Where do I get started. I know nothing about VPN's - I've read about what they are, but know nothing else. Where do I start? Are there any websites that I should visit? What book would be recommended? What OS should I go for? WIndows? Unix? I've been told go for Unix becuase then you don't have to pay for the licenses. But, with Windows, surely I'll be able to get more help easily becuase mroe people use it? ANY help would be appreciated. Thanks. Jam ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn Yahoo! Games - Who Wants to Be A Millionaire? Play now! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030909/9f3ea1b4/attachment.htm From friedberg at comets.com Tue Sep 9 23:59:01 2003 From: friedberg at comets.com (Carl Friedberg) Date: Tue, 09 Sep 2003 23:59:01 -0400 Subject: [VPN] Nortel Contivity box - Message-ID: <01L0H9P46SIA00EKJI@mail1.fwd.com> Kelly, I don't know about the 4500, but you can assign fixed IP addresses with the 600. I can't log in now, but it is pretty obvious where you do this. If you really can't get it going, e-mail me off list and I will try it on a 600 and let you know what was needed. Carl -----Original Message----- From: Kelly Koons [mailto:kelly_koons%yahoo.com.sg at fwd.com] Sent: Monday, September 08, 2003 9:14 PM To: vpn Subject: [VPN] Nortel Contivity box - List, I am using nortel contivity 4500 for providing the vpn to my 100 users. I have a block of /24 pool where all the user get ip assigned when they get connected. Is there any way I can assigned a fix ip in that pool for any user ? that particular user want to make some auto process and for this he needs fix ip address .......... any helps ? Thanks Kelly - Jammer wrote: I need to setup a VPN. Where do I get started. I know nothing about VPN's - I've read about what they are, but know nothing else. Where do I start? Are there any websites that I should visit? What book would be recommended? What OS should I go for? WIndows? Unix? I've been told go for Unix becuase then you don't have to pay for the licenses. But, with Windows, surely I'll be able to get more help easily becuase mroe people use it? ANY help would be appreciated. Thanks. Jam ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn Yahoo! Games - Who Wants to Be A Millionaire? Play now! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030909/7558720d/attachment.htm From jac_des_vert at yahoo.com Wed Sep 10 06:59:15 2003 From: jac_des_vert at yahoo.com (Jac) Date: Wed, 10 Sep 2003 03:59:15 -0700 (PDT) Subject: [VPN] Nortel Contivity box - In-Reply-To: <20030909011414.248.qmail@web60106.mail.yahoo.com> Message-ID: <20030910105915.76727.qmail@web14103.mail.yahoo.com> If you go to your user definition (under Profiles -> Users) you can edit the profile and enter a static IP address/subnet mask for the user.This will only work for IPSec client connections. The entry is in the "General" section and is called "Remote User" with the 2 fields for static IPs. You'll need to remove that IP from the address pool to ensure it doesn't get assigned again, so it won't actually be in the pool any longer, but this will statically assign the address. Or you can create a pool of 1 address and make a separate user group that only has that single user in it that will just use that pool. I think you can also do this with RADIUS if you are using that for authentication. I think the Contivity will accept an IP address return attribute from the RADIUS system. Hope that is what you're looking for. Jac --- Kelly Koons wrote: > List, I am using nortel contivity 4500 for providing > the vpn to my 100 users. I have a block of /24 pool > where all the user get ip assigned when they get > connected. Is there any way I can assigned a fix ip > in that pool for any user ? that particular user > want to make some auto process and for this he needs > fix ip address .......... any helps ? > Thanks > Kelly - > > Jammer wrote: > I need to setup a VPN. > Where do I get started. > I know nothing about VPN's - I've read about what > they > are, but know nothing else. > > Where do I start? Are there any websites that I > should visit? What book would be recommended? > > What OS should I go for? > WIndows? > Unix? > > I've been told go for Unix becuase then you don't > have > to pay for the licenses. > > But, with Windows, surely I'll be able to get more > help easily becuase mroe people use it? > > ANY help would be appreciated. > > Thanks. > > > Jam > > ________________________________________________________________________ > Want to chat instantly with your online friends? Get > the FREE Yahoo! > Messenger http://mail.messenger.yahoo.co.uk > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > Yahoo! Games > - Who Wants to Be A Millionaire? Play now!> _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From MLittle at bhsi.com Wed Sep 10 10:09:36 2003 From: MLittle at bhsi.com (Little, Mike (BHS)) Date: Wed, 10 Sep 2003 10:09:36 -0400 Subject: FW: [VPN] Nortel Contivity box - Message-ID: <03Sep10.095859edt.119121@pcbhi266.bhsi.com> Kelly, You'll see the option to assign a static address from the user profiles when you edit the account, provided you are using the local ldap database for managing accounts. Regards, Mike -----Original Message----- From: Carl Friedberg [mailto:friedberg at comets.com] Sent: Tuesday, September 09, 2003 11:59 PM To: Kelly Koons; vpn Subject: RE: [VPN] Nortel Contivity box - Kelly, I don't know about the 4500, but you can assign fixed IP addresses with the 600. I can't log in now, but it is pretty obvious where you do this. If you really can't get it going, e-mail me off list and I will try it on a 600 and let you know what was needed. Carl -----Original Message----- From: Kelly Koons [mailto:kelly_koons%yahoo.com.sg at fwd.com] Sent: Monday, September 08, 2003 9:14 PM To: vpn Subject: [VPN] Nortel Contivity box - List, I am using nortel contivity 4500 for providing the vpn to my 100 users. I have a block of /24 pool where all the user get ip assigned when they get connected. Is there any way I can assigned a fix ip in that pool for any user ? that particular user want to make some auto process and for this he needs fix ip address .......... any helps ? Thanks Kelly - Jammer wrote: I need to setup a VPN. Where do I get started. I know nothing about VPN's - I've read about what they are, but know nothing else. Where do I start? Are there any websites that I should visit? What book would be recommended? What OS should I go for? WIndows? Unix? I've been told go for Unix becuase then you don't have to pay for the licenses. But, with Windows, surely I'll be able to get more help easily becuase mroe people use it? ANY help would be appreciated. Thanks. Jam ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn Yahoo! Games - Who Wants to Be A Millionaire? Play now! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030910/85cad18d/attachment.htm -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT534595.txt Url: http://lists.shmoo.com/pipermail/vpn/attachments/20030910/85cad18d/attachment.txt From mdownes at cinci.rr.com Fri Sep 12 02:26:04 2003 From: mdownes at cinci.rr.com (Michael R. Downes) Date: Fri, 12 Sep 2003 02:26:04 -0400 Subject: [VPN] Norte Contivity "Banner Text" problem Message-ID: <001c01c378f6$be7432c0$13e07a92@MRD> All- I'm seeing this same problem. Has anyone found a resolution?? Also, where can obtain v4.75.140 of EAC that Robert mentioned? Thanks in advance, Mike ----- Forwarded by Robert E Bunzli/GIS/CSC on 06/24/03 11:52 AM ----- Robert E Bunzli /GIS/CSC To: vpn at lists.shmoo.com cc: 06/23/03 09:58 AM Subject: Re: [VPN] Nortel Contivity "Banner Text" problem(Document link: Robert Bunzli's Mail) I've seen a NAT problem generate this message and it has nothing to do with the "Banner Text", that's just where is hangs. Check your NAT traversal settings. Make sure it's enabled in Services/IPSec. Then look at your group settings for IPSec and NAT Traversal if you're already set at auto detect then try the "IPSec capable NAT" setting (one of these 2 settings should work). This is a fairly new option (IPSec capable NAT) so you may need to upgrade your software (don't use v4.75.100!!! there's a v4.75.140 that's been out now for several weeks). Regards, Robert ---------------------------------------------------------------------------- ------------ This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ---------------------------------------------------------------------------- ------------ "Duross, Bill" @stratus.com> cc: Sent by: Subject: [VPN] Nortel Contivity "Banner Text" problem vpn-bounces 06/20/03 07:34 AM I use the Nortel Contivity product for client VPN connectivity and I occasionally (1 in 50 users?) run into the following problem. The installation appears to go normally with no errors, but when the user tries to log in, there is a +/- 20 second delay at the "Checking for Banner Text" window and then the user gets an error message that the connection has been lost. The log on the CES shows a normal login (authentication, address assignment, DNS Servers, etc) and then says that a "Delete message for ISAKMP SA" was received from the client. I've only seen this on Win2k and XP clients. I've spoken to Nortel and they don't have any solid fix and I haven't found much of use via google. Has anyone run into this and found a way around the problem? Thanks. Bill _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn Previous message: [VPN] Nortel Contivity "Banner Text" problem Next message: [VPN] cisco vpn3000, firewall policy, & linux client Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] More information about the VPN mailing list From craig at proactive.co.nz Sun Sep 14 00:36:05 2003 From: craig at proactive.co.nz (Craig Higgins) Date: Sun, 14 Sep 2003 16:36:05 +1200 Subject: [VPN] PPTP VPN on Win2003 Enterprise server Message-ID: Hi there, I am trying to setup a dial-up PPTP VPN from a XP client to a 2003 server. The VPN only has to get to the server as there is no inside LAN - therefore I am using only one NIC. The server is connected to the internet through a router using DSL - I have opened port 1723 and mapped it to the internal IP address [& port 1723] I am using for the server. I have followed the instructions in 2003 help and have double checked the access policy, user rights, and RRAS configurations. The error I get in the event log on the server tells me that "The user has connected and failed to authenticate on port VPN3-127. The line has been disconnected." The error at the client end is "Access was denied because the user name and password was not valid on the domain" I have try changing the authentication protocols, i.e. from ms-chap v2 to EAP, and made sure the changes are reflected in the server settings, the access policy and the client configuration - to no avail. The server is not using Active Directory & it doesn't seem to matter whether the dial-in properties of the user account are set to "allow access" or "control by access policy". I'm stumped...any help would be appreciated. Thanks Craig. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030914/2e56c207/attachment.htm From jac_des_vert at yahoo.com Mon Sep 15 07:11:56 2003 From: jac_des_vert at yahoo.com (Jac) Date: Mon, 15 Sep 2003 04:11:56 -0700 (PDT) Subject: [VPN] Norte Contivity "Banner Text" problem In-Reply-To: <001c01c378f6$be7432c0$13e07a92@MRD> Message-ID: <20030915111156.73914.qmail@web14108.mail.yahoo.com> There isn't any resolution to this from the vendors perspective because there in nothing wrong with thier code. There is generally something wrong with the environment that is being used as stated below. You could also have this error if there is a firewall blocking ESP/AH (protocols 50 and 51) The client succedes in setting up the ISAKMP negotiation but when the client goes to get the banner it fails because something has blocked the message outgoing or the reply. If its a NAT issue the "IPSec capable NAT" should get you around it. The v04_75.140 is not a client code, its for the server. You should check with Nortel support for the most recent EAC code. No place else really to get it since it only works with thier product. Jac --- "Michael R. Downes" wrote: > All- > > I'm seeing this same problem. Has anyone found a > resolution?? > > Also, where can obtain v4.75.140 of EAC that Robert > mentioned? > > Thanks in advance, > Mike > > ----- Forwarded by Robert E Bunzli/GIS/CSC on > 06/24/03 11:52 AM ----- > > Robert E Bunzli > /GIS/CSC To: > vpn at > lists.shmoo.com > cc: > 06/23/03 09:58 AM > Subject: Re: [VPN] Nortel > Contivity "Banner Text" problem(Document link: > Robert > > Bunzli's Mail) > > > > > I've seen a NAT problem generate this message and it > has nothing to do with > the "Banner Text", that's just where is hangs. > > Check your NAT traversal settings. Make sure it's > enabled in > Services/IPSec. Then look at your group settings > for IPSec and NAT > Traversal if you're already set at auto detect then > try the "IPSec capable > NAT" setting (one of these 2 settings should work). > This is a fairly new > option (IPSec capable NAT) so you may need to > upgrade your software (don't > use v4.75.100!!! there's a v4.75.140 that's been > out now for several > weeks). > > Regards, Robert > > ---------------------------------------------------------------------------- > ------------ > > This is a PRIVATE message. If you are not the > intended recipient, please > delete without copying and kindly advise us by > e-mail of the mistake in > delivery. NOTE: Regardless of content, this e-mail > shall not operate to > bind CSC to any order or other contract unless > pursuant to explicit written > agreement or government initiative expressly > permitting the use of e-mail > for such purpose. > ---------------------------------------------------------------------------- > ------------ > > > > > > "Duross, Bill" > "'vpn at > lists.shmoo.com'" > @stratus.com> cc: > Sent by: > Subject: [VPN] Nortel > Contivity "Banner Text" problem > vpn-bounces > > > 06/20/03 07:34 > AM > > > > > > > I use the Nortel Contivity product for client VPN > connectivity and I > occasionally (1 in 50 users?) run into the following > problem. The > installation appears to go normally with no errors, > but when the user tries > to log in, there is a +/- 20 second delay at the > "Checking for Banner Text" > window and then the user gets an error message that > the connection has been > lost. The log on the CES shows a normal login > (authentication, address > assignment, DNS Servers, etc) and then says that a > "Delete message for > ISAKMP SA" was received from the client. I've only > seen this on Win2k and > XP clients. > > I've spoken to Nortel and they don't have any solid > fix and I haven't found > much of use via google. > > Has anyone run into this and found a way around the > problem? > > Thanks. > > Bill > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > > > > > > > > > > Previous message: [VPN] Nortel Contivity "Banner > Text" problem > Next message: [VPN] cisco vpn3000, firewall policy, > & linux client > Messages sorted by: [ date ] [ thread ] [ subject ] > [ author ] > > > More information about the VPN mailing list > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From dave_rypma at manulife.com Tue Sep 16 08:36:29 2003 From: dave_rypma at manulife.com (dave_rypma at manulife.com) Date: Tue, 16 Sep 2003 08:36:29 -0400 Subject: [VPN] PPTP VPN on Win2003 Enterprise server In-Reply-To: Message-ID: Have you opened the firewall for protocol 47 (GRE - generic routing encapsulation)? PPTP needs that too. And remember, this is a PROTOCOL, not a PORT. Dave Rypma Manulife Financial. vpn-bounces+dave_rypma=manulife.com at lists.shmoo.com wrote on 2003-09-14 00:36:05: > Hi there, > > I am trying to setup a dial-up PPTP VPN from a XP client to a 2003 server. > The VPN only has to get to the server as there is no inside LAN - > therefore I am using only one NIC. > The server is connected to the internet through a router using DSL ? > I have opened port 1723 and mapped it to the internal IP address [& > port 1723] I am using for the server. > I have followed the instructions in 2003 help and have double > checked the access policy, user rights, and RRAS configurations. > > The error I get in the event log on the server tells me that ?The > user has connected and failed to authenticate on port VPN3-127. The > line has been disconnected.? > The error at the client end is ?Access was denied because the user > name and password was not valid on the domain? > > I have try changing the authentication protocols, i.e. from ms-chap > v2 to EAP, and made sure the changes are reflected in the server > settings, the access policy and the client configuration ? to no avail. > The server is not using Active Directory & it doesn?t seem to matter > whether the dial-in properties of the user account are set to ?allow > access? or ?control by access policy?. > > I?m stumped?any help would be appreciated. > > Thanks > Craig._______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5788 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.shmoo.com/pipermail/vpn/attachments/20030916/e7fe4157/attachment.bin From Cris at stoller.com.br Tue Sep 16 10:13:13 2003 From: Cris at stoller.com.br (Ana Cristina Trevenzoli) Date: Tue, 16 Sep 2003 11:13:13 -0300 Subject: [VPN] Site-to-site VPNs to same networks Message-ID: <0955B395839711488721420B7D7BEC33556149@terra.stoller.com.br> > Please, > > I saw the messange in http://sisyphus.iocaine.com/pipermail/vpn/2002-July/003471.html > I have the scenario: > > IP notebook: 192.168.0.101 > mask 255.255.255.0 > default gateway: 192.168.1.1 > > Remote network: > Range IP 192.168.0.0 > mask 255.255.0.0 > > I must be to establish the VPN? > Because the mask are different but I authentic VPN but I dont ping a machine. > > Please, help me!! > > Thank you very much, > Ana Cristina > ------------------------------------------------------------------------------------------------------------------------- Esta mensagem, incluindo anexos, ? confidencial, privilegiada e para o ?nico benef?cio da pessoa devida ou endere?ada. Caso seja recebido erroneamente, favor apag?-la do sistema, n?o fa?a c?pias, n?o exponha seu conte?do a uma terceira parte ou utilize-a para seu benef?cio pessoal ou de outra pessoa. Favor avisar "stoller at stoller.com.br" do seu recebimento, o mais r?pido poss?vel. Agradecemos a sua colabora??o. The information contained in this e-mail and in the attached files are for the exclusive use of the addressee herein nominated, and may contain trade secrets, privileged and other confidential information, protected by the applicable laws. In case you are not the right addressee, you are hereby notified that any reviewing, reading, copying and/or distributing of this e-mail's content is strictly prohibited and unauthorized. Please, delete the e-mail's content and notify the sender (stoller at stoller.com.br) immediately. Thank you for your cooperation. From dale.nunnery at medicorp.org Wed Sep 17 16:34:14 2003 From: dale.nunnery at medicorp.org (dale.nunnery at medicorp.org) Date: Wed, 17 Sep 2003 16:34:14 -0400 Subject: [VPN] VPN Client Message-ID: An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030917/05f879f8/attachment.htm From TSimons at Delphi-Tech.com Thu Sep 18 09:07:49 2003 From: TSimons at Delphi-Tech.com (TSimons at Delphi-Tech.com) Date: Thu, 18 Sep 2003 09:07:49 -0400 Subject: [VPN] IPSEC over load-shared T1s (per packet) Message-ID: <880E60DA7286AB4CBEECB01B169A63BD0F69B6AE@NJ-2K-Email1.delphi-tech.com> Hello All Recently we doubled our internet bandwith to two T1s from the same provider that terminate on in the same router on the NOC side. We setup IP LOAD-SHARING PER-PACKET on each of the serial links on both sides (NOC and Us) in order to get an aggregate 3.0mbit. PER-PACKET routing alternates usage of the T1s, one for one... Since then, VPN performance has taken a dive. Sniffing out traffic, ESP packets are sent 3-4 times before they can be properly decrypted. Someone along the way said that using PER-PACKET routing changes the CRC value of the packets. Is this correct, has anyone else seen this issue? I can't see how the CRC is changed, the hop count isn't changing, the lines are identical, and they terminate in the same router, so the last hop is the F0/0 interface of the router before getting to the firewall. Thanks, ~Todd __________________________________ Todd M. Simons Senior MIS Engineer Dell Tier 1 PA Technician Delphi Technology, Inc. New Brunswick, NJ Note: The contents of this email do not constitute a legally binding commitment. From Casey.Tom at Verizon.net Thu Sep 18 13:15:19 2003 From: Casey.Tom at Verizon.net (Tom Casey) Date: Thu, 18 Sep 2003 13:15:19 -0400 Subject: [VPN] Linksys BEFSX41 --> Netscreen NS5 Message-ID: <000a01c37e08$710113c0$fb01a8c0@approvednetwork.local> I have not been able to connect a tunnel between a BEFSX41 (dynamic IP) and a NS5 (static IP). Which genius in the group knows how to do this? TIA for any help you can offer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030918/e9b8a23a/attachment.htm From casabach at comcast.net Thu Sep 18 14:02:00 2003 From: casabach at comcast.net (casabach) Date: Thu, 18 Sep 2003 14:02:00 -0400 Subject: [VPN] necessary vpn subsystem is not available Message-ID: <3F69F318.7070009@comcast.net> On Thu, Jul 17, 2003 at 01:25:37PM -0400, Ronald Funk wrote: > All, > > 'necessary vpn subsystem is not available' > Any ideas on why we see this sometimes? > > Thanks > RF I have the same problem. Did you solve your problem? Cisco said they never heard of such a thing. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030918/21224a0a/attachment.htm From jef at linuxbe.org Fri Sep 19 03:18:36 2003 From: jef at linuxbe.org (Jean-Francois Dive) Date: Fri, 19 Sep 2003 09:18:36 +0200 Subject: [VPN] VPN Client In-Reply-To: References: Message-ID: <1063955916.2083.21.camel@gardafou> After vendor specific clients, most probably SSH Sentinel. On Wed, 2003-09-17 at 22:34, dale.nunnery at medicorp.org wrote: > What is the most common VPN client used for most enterprises? Thank > you. > > Dale Nunnery > PACS Systems Analyst > Information Services > MediCorp Health System - Mary Washington Hospital > Fredericksburg VA 22401 > (540) 372-7304 Pager > (540) 741-1006 Vmail > dale.nunnery at medicorp.org > > - > This e-mail message, including any attachments, is for the sole use of > the intended recipients and may contain information that is > confidential, legally privileged, and/or exempt from disclosure under > applicable law. If you are not the intended recipient or receive this > message in error, please contact the sender by reply e-mail and by > phone and destroy all copies of the original message. Any unauthorized > review, use, reproduction, disclosure or distribution is strictly > prohibited. Thank you. > > > ______________________________________________________________________ > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From jef at linuxbe.org Fri Sep 19 03:45:35 2003 From: jef at linuxbe.org (Jean-Francois Dive) Date: Fri, 19 Sep 2003 09:45:35 +0200 Subject: [VPN] IPSEC over load-shared T1s (per packet) In-Reply-To: <880E60DA7286AB4CBEECB01B169A63BD0F69B6AE@NJ-2K-Email1.delphi-tech.com> References: <880E60DA7286AB4CBEECB01B169A63BD0F69B6AE@NJ-2K-Email1.delphi-tech.com> Message-ID: <1063957535.2083.33.camel@gardafou> This is a classic (well, as much as it could be). In general, load balancing per packet is not a good idea: protocols do not like out of order packets. Yes, it still work, but you see the price now. For exemple, TCP will drop it's sending rate when out of order packet / acks come backs. IPSec use a replay counter for each SADB entry and will drop too late or too early packets. If this is the case, you should see the replay window check fail counter on your GW increases. If this is not the case, then the inner tcp packets still get in out of order with drops --> significant drop of perfs. The out of order can be explained in your scenarion because probably that the 2 IP endpoints of the line are quite distant and maybe goes trough a whatever_WAN_network. As well, the queues on the router and potential QoS rules may explains this. Solutions: - Extend the replaywindow size, but this is classically not an option in most vendor implementation (they implement it as a 32 bit fixed u_int32_t value). - Do your load balancing on a per flow basis (pair of IP's) and you will see your perf goes up; the way to achieve it is very dependant on the router vendors. JeF On Thu, 2003-09-18 at 15:07, TSimons at Delphi-Tech.com wrote: > Hello All > > Recently we doubled our internet bandwith to two T1s from the same provider > that terminate on in the same router on the NOC side. > > We setup IP LOAD-SHARING PER-PACKET on each of the serial links on both > sides (NOC and Us) in order to get an aggregate 3.0mbit. PER-PACKET routing > alternates usage of the T1s, one for one... > > Since then, VPN performance has taken a dive. Sniffing out traffic, ESP > packets are sent 3-4 times before they can be properly decrypted. > > Someone along the way said that using PER-PACKET routing changes the CRC > value of the packets. Is this correct, has anyone else seen this issue? I > can't see how the CRC is changed, the hop count isn't changing, the lines > are identical, and they terminate in the same router, so the last hop is the > F0/0 interface of the router before getting to the firewall. > > Thanks, > ~Todd > > __________________________________ > Todd M. Simons > Senior MIS Engineer > Dell Tier 1 PA Technician > Delphi Technology, Inc. > New Brunswick, NJ > > Note: The contents of this email do not constitute a legally binding > commitment. > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From mzimmerman at icsalabs.com Fri Sep 19 08:36:36 2003 From: mzimmerman at icsalabs.com (Zimmerman, Mark) Date: Fri, 19 Sep 2003 08:36:36 -0400 Subject: [VPN] Linksys BEFSX41 --> Netscreen NS5 Message-ID: Tom, I'm not sure how similiar the BEFSX41 and the BEFVP41 are, but we have detailed configuration steps in Lab Notes on our web site for Linksys and Netscreen. http://www.icsalabs.com/html/communities/ipsec/certification/certified_produ cts/index.shtml Regards, -----Original Message----- From: Tom Casey [mailto:Casey.Tom at Verizon.net] Sent: Thursday, September 18, 2003 1:15 PM To: vpn at lists.shmoo.com Subject: [VPN] Linksys BEFSX41 --> Netscreen NS5 I have not been able to connect a tunnel between a BEFSX41 (dynamic IP) and a NS5 (static IP). Which genius in the group knows how to do this? TIA for any help you can offer. *********************************************************************** This message is intended only for the use of the intended recipient and may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately. *********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030919/ca6ba7e2/attachment.htm From c.flory at comcast.net Fri Sep 19 09:35:41 2003 From: c.flory at comcast.net (Chris Flory) Date: Fri, 19 Sep 2003 08:35:41 -0500 Subject: [VPN] necessary vpn subsystem is not available References: <3F69F318.7070009@comcast.net> Message-ID: <00b701c37eb2$ebb56d00$4564a8c0@ASTRONOMER> "The necessary VPN subsystem is not available...connection to the remote IPSec server. " usually means the Cisco VPN Service (cvpnd.exe) is not running. Anyway, the temporary solution was to run cvpnd.exe manually, then run the VPN application. One potential path for you is to disable everything that initializes on booting on the machine and ensure cvpnd.exe (and then VPN) runs successfully in a 'clean' environment. ----- Original Message ----- From: casabach To: vpn at lists.shmoo.com Sent: Thursday, September 18, 2003 1:02 PM Subject: [VPN] necessary vpn subsystem is not available On Thu, Jul 17, 2003 at 01:25:37PM -0400, Ronald Funk wrote: > All, > > 'necessary vpn subsystem is not available' > Any ideas on why we see this sometimes? > > Thanks > RF I have the same problem. Did you solve your problem? Cisco said they never heard of such a thing. ------------------------------------------------------------------------------ _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030919/c82da5aa/attachment.htm From djdawso at qwest.com Fri Sep 19 11:03:28 2003 From: djdawso at qwest.com (Dana J. Dawson) Date: Fri, 19 Sep 2003 10:03:28 -0500 Subject: [VPN] necessary vpn subsystem is not available In-Reply-To: <3F69F318.7070009@comcast.net> References: <3F69F318.7070009@comcast.net> Message-ID: <3F6B1AC0.8060802@qwest.com> I've seen this several times, and it seems that it usually (perhaps always) happens if I change the IP address of my ethernet interface without first quitting out of the client. Usually a reboot fixes it, but a couple times I've had to uninstall and reinstall the client. The client now stays running down in the task bar in some situations, which I don't think previous versions used to do, so it's easier to not notice that it's still running. By the way, my experiences have been with Windows 2000. I don't know if it behaves the same under XP or not. HTH Dana casabach wrote: > On Thu, Jul 17, 2003 at 01:25:37PM -0400, Ronald Funk wrote: >> All, >> >> 'necessary vpn subsystem is not available' >> Any ideas on why we see this sometimes? >> >> Thanks >> RF > > > > > I have the same problem. Did you solve your problem? > Cisco said they never heard of such a thing. -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Communications (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." From djdawso at qwest.com Fri Sep 19 11:17:48 2003 From: djdawso at qwest.com (Dana J. Dawson) Date: Fri, 19 Sep 2003 10:17:48 -0500 Subject: [VPN] IPSEC over load-shared T1s (per packet) In-Reply-To: <880E60DA7286AB4CBEECB01B169A63BD0F69B6AE@NJ-2K-Email1.delphi-tech.com> References: <880E60DA7286AB4CBEECB01B169A63BD0F69B6AE@NJ-2K-Email1.delphi-tech.com> Message-ID: <3F6B1E1C.2000801@qwest.com> Unless you're doing NAT, the CRC of the IP packet will not change. This sounds more like an issue with out-of-order packets, especially if you have any fragmentation going on, since some devices don't like out-of-order fragments. The easiest fix may be to set the MTU of your VPN devices down to avoid fragmentation completely (1400 or so is probably a good number), but you may have other options as well. For example, Cisco has some specific commands in IOS for dealing with fragmentation and PMTU Discovery. God luck! Dana TSimons at Delphi-Tech.com wrote: > Hello All > > Recently we doubled our internet bandwith to two T1s from the same provider > that terminate on in the same router on the NOC side. > > We setup IP LOAD-SHARING PER-PACKET on each of the serial links on both > sides (NOC and Us) in order to get an aggregate 3.0mbit. PER-PACKET routing > alternates usage of the T1s, one for one... > > Since then, VPN performance has taken a dive. Sniffing out traffic, ESP > packets are sent 3-4 times before they can be properly decrypted. > > Someone along the way said that using PER-PACKET routing changes the CRC > value of the packets. Is this correct, has anyone else seen this issue? I > can't see how the CRC is changed, the hop count isn't changing, the lines > are identical, and they terminate in the same router, so the last hop is the > F0/0 interface of the router before getting to the firewall. > > Thanks, > ~Todd > > __________________________________ > Todd M. Simons > Senior MIS Engineer > Dell Tier 1 PA Technician > Delphi Technology, Inc. > New Brunswick, NJ > > Note: The contents of this email do not constitute a legally binding > commitment. -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Communications (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." From xml0202 at yahoo.com Mon Sep 22 06:16:47 2003 From: xml0202 at yahoo.com (john bush) Date: Mon, 22 Sep 2003 03:16:47 -0700 (PDT) Subject: [VPN] Asking for opinion. Message-ID: <20030922101647.97383.qmail@web13111.mail.yahoo.com> Hi all, Does anybody know how can i test or analyze the performance for different VPN protocol under Linux environment. Thanks. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030922/a18ba7e2/attachment.htm From ILazar at burtongroup.com Mon Sep 22 17:50:15 2003 From: ILazar at burtongroup.com (Irwin Lazar) Date: Mon, 22 Sep 2003 15:50:15 -0600 Subject: [VPN] VPN Client Message-ID: <93C5326FCFEA7241BB6731D44D4147BC8CD139@bgslc11.burtongroup.com> Internet Explorer. (SSL VPN) -----Original Message----- From: dale.nunnery at medicorp.org [mailto:dale.nunnery at medicorp.org] Sent: Wednesday, September 17, 2003 4:34 PM To: vpn at lists.shmoo.com Subject: [VPN] VPN Client What is the most common VPN client used for most enterprises? Thank you. Dale Nunnery PACS Systems Analyst Information Services MediCorp Health System - Mary Washington Hospital Fredericksburg VA 22401 (540) 372-7304 Pager (540) 741-1006 Vmail dale.nunnery at medicorp.org - This e-mail message, including any attachments, is for the sole use of the intended recipients and may contain information that is confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient or receive this message in error, please contact the sender by reply e-mail and by phone and destroy all copies of the original message. Any unauthorized review, use, reproduction, disclosure or distribution is strictly prohibited. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030922/fd077789/attachment.htm From jermwoliver at yahoo.com Tue Sep 23 14:45:32 2003 From: jermwoliver at yahoo.com (Jeremy Oliver) Date: Tue, 23 Sep 2003 11:45:32 -0700 (PDT) Subject: [VPN] Lan 2 Lan VPN from Netscreen 5GT and Nortel Contivity 1600 Message-ID: <20030923184532.22879.qmail@web13005.mail.yahoo.com> Has anyone ever set this up? We have DSL at some of our locations and want them to be able to communicate back to the corp office just like they were on a frame circuit. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030923/34c1d540/attachment.htm From TSimons at Delphi-Tech.com Wed Sep 24 08:45:19 2003 From: TSimons at Delphi-Tech.com (TSimons at Delphi-Tech.com) Date: Wed, 24 Sep 2003 08:45:19 -0400 Subject: [VPN] IPSEC over load-shared T1s (per packet) (NxT1 and MLP) Message-ID: <880E60DA7286AB4CBEECB01B169A63BD0F69B7C4@NJ-2K-Email1.delphi-tech.com> Hello All Just a status.... -The problem was ESP packets coming in out of sequence -A guru member of the mailing list [FW-WIZ] said I should try to strong arm the vendor into fixing this by recognizing and reordering the ESP packets, but I didn't get far. -Cisco recommended Multilink PPP, which aggregates the 2 T1s into one 3mbit virtual interface, our ISP welcomed this change -and we put it through. I'll be testing and monitoring today. Links on Cisco's Site: -Alternatives for High Bandwidth Connections Using Parallel T1/E1 Links http://www.cisco.com/warp/public/cc/pd/ifaa/pa/much/tech/althb_wp.pdf -Bundling NxT1 Links With a Multilink Interface http://www.cisco.com/warp/public/793/access_dial/ppp_11044.pdf Changes to our Cisco Router: 1.) Create INT MULTILINK 1 (virtual interface) interface Multilink1 ip address ?.?.?.? 255.255.255.252 ip verify unicast source reachable-via any allow-self-ping 108 no ip directed-broadcast no ip route-cache cef no ip route-cache load-interval 30 no cdp enable ppp multilink no ppp multilink fragmentation multilink load-threshold 1 either multilink-group 1 2.) Strip back IP addresses from member Serial Interfaces and add the following to each Interface: encap ppp no ip route-cache distributed ip unnumbered Multilink1 ppp multilink multilink-group 1 To view the status of the new multi1 interface use "sh ppp multilink": SL-Gateway#sh ppp multilink Multilink1, bundle name is [remote router name] Bundle up for 10:57:52 1 lost fragments, 16609 reordered, 0 unassigned 0 discarded, 0 lost received, 6/255 load 0x828E9 received sequence, 0x61758 sent sequence Member links: 2 active, 0 inactive (max not set, min not set) Serial0/0, since 10:57:52, last rcvd seq 0828E5 Serial0/1, since 10:57:50, last rcvd seq 0828E8 SL-Gateway# Hope this helps!! ~Todd -----Original Message----- From: TSimons at Delphi-Tech.com [mailto:TSimons at Delphi-Tech.com] Sent: Thursday, September 18, 2003 9:08 AM To: vpn at lists.shmoo.com Subject: [VPN] IPSEC over load-shared T1s (per packet) Hello All Recently we doubled our internet bandwith to two T1s from the same provider that terminate on in the same router on the NOC side. We setup IP LOAD-SHARING PER-PACKET on each of the serial links on both sides (NOC and Us) in order to get an aggregate 3.0mbit. PER-PACKET routing alternates usage of the T1s, one for one... Since then, VPN performance has taken a dive. Sniffing out traffic, ESP packets are sent 3-4 times before they can be properly decrypted. Someone along the way said that using PER-PACKET routing changes the CRC value of the packets. Is this correct, has anyone else seen this issue? I can't see how the CRC is changed, the hop count isn't changing, the lines are identical, and they terminate in the same router, so the last hop is the F0/0 interface of the router before getting to the firewall. Thanks, ~Todd __________________________________ Todd M. Simons Senior MIS Engineer Dell Tier 1 PA Technician Delphi Technology, Inc. New Brunswick, NJ Note: The contents of this email do not constitute a legally binding commitment. _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From alberto at combat.com.br Sat Sep 27 19:22:05 2003 From: alberto at combat.com.br (Alberto Fabiano) Date: Sat, 27 Sep 2003 20:22:05 -0300 Subject: [VPN] FreeSWAN CA 2.02 x PIX - Trouble in phase 2 Message-ID: Mrs, After an exhausting research for Google and reading of several materials, the conclusion that I am needing help urgently arrive! : -) I have a FreeSWan CA 2.02 and am trying to stablish a tunnel with a PIX through 3DES, MD5, IKE dh 2, using PSK the some days and am not I obtaining success in the phase 2 of IPSec, will it be that anybody could feel a help? In an initial moment, I got to close VPN (phase 1 and 2) and I made some tests without a lot of headaches, but now, I don't know because am not getting more to close. It follows the parts of my ipsec.conf below, whack status and related to this tunnel. # cat /var/chroot-ipsec/etc/ipsec.conf # # Default Configuration File for FreeS/WAN IPSEC # config setup interfaces="ipsec0=eth0" klipsdebug=none plutodebug=all dumpdir= manualstart= fragicmp=no packetdefault=drop hidetos=yes uniqueids=yes overridemtu=16260 nocrsend=yes nat_traversal=yes keep_alive=60 conn %default rekeymargin=9m rekeyfuzz=100% keyingtries=0 conn VPN_5 type=tunnel keyexchange=ike pfsgroup=modp1024 pfs=yes auto=start authby=secret ike=3des-md5-modp1024 esp=3des-md5-96 keylife=28800 ikelifetime=2880 compress=no left=192.168.1.22 leftsubnet=192.168.1.5/255.255.255.255 leftnexthop=10.10.1.119 right=10.10.18.143 rightsubnet=10.10.18.146/255.255.255.255 rightnexthop=10.10.38.10 leftupdown="/opt/_updown 2>/tmp/log 1>/tmp/log" rightupdown="/opt/_updown 2>/tmp/log 1>/tmp/log" leftid=192.168.1.22 rightid=10.10.18.143 # chroot /var/chroot-ipsec/ /usr/local/lib/ipsec/whack --status 000 interface ipsec0/eth0 192.168.1.22 000 interface ipsec0/eth0 192.168.1.22 000 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,6,36} trans={0,6,96} attrs={0,6,160} 000 000 "VPN_5": 192.168.1.5/32===192.168.1.22---10.10.1.119...10.10.38.10---10.10.18.143===1 0.10.18.146/32 000 "VPN_5": ike_life: 2880s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "VPN_5": policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth0; trap erouted 000 "VPN_5": newest ISAKMP SA: #1; newest IPsec SA: #0; eroute owner: #0 000 "VPN_5": IKE algorithms wanted: 5_000-1-2, flags=-strict 000 "VPN_5": IKE algorithms found: 5_192-1_128-2, 000 "VPN_5": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024 000 "VPN_5": ESP algorithms wanted: 3_000-1, ; pfsgroup=2; flags=strict 000 "VPN_5": ESP algorithms loaded: 3_168-1_128, 000 000 #6: "VPN_5" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 4s 000 #1: "VPN_5" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1673s; newest ISAKMP 000 Awaiting help for my problem... Thanks for all!!! - Kind Regards. Alberto Fabiano Caires de Medeiros -------------------------------------------------------------------------- e-mail: alberto at combat.com.br -------------------------------------------------------------------------- -----BEGIN PGP PUBLIC KEY BLOCK----- mQGiBD9spjwRBACQ2aQEqcQyGxaoNX4Zvk/9v6fCxyPWAcBQSSiPjJyi3cXa9kLB XsQjdgBY90x45wFwI0QwneWFCP364YZXdo7ZRPiLjI+qV6expjCIIm/LXi1LphwK 6l87HYbm74a2T6mdxRmxhCrgsA+ezSCEkMA9YolPw2r+ufvp59IrrYHrcwCg5aTW LbsbVQ2i+beAfpFPw8muW1kEAINssb8RXbilwIL6k7ZPbHQghkTIM7iIK5eGwMOx lYtmzoA2tCzJla0tp9G1ls2hW12d6io80P5jbYpx+17nhPV49oVA6yKGJNCaTAzi uyRxUYOYhSyS8PXxOPp600NGJ8qiX53JEPKPLxoiF/HG6EWihEIDFqvI11mIEcfi WFTDA/0SKjjkKt+S1fk42AbnE39pz1Kn6av2hYz00DX4XensZcnmmcbA1eO0a+TP foTl0x2ipHN7eymcVudDVU6fbQu18SJa+rSutW3GBmreRDi0NQ4vilCAVueyQpVP WS/jnOcw+uQp2PRkY8ylKxIOcgQZqy56jCEcbFH/eTxTfqA6c7REQWxiZXJ0byBG YWJpYW5vIENhaXJlcyBkZSBNZWRlaXJvcyAoazRsMXBzMCkgPGFsYmVydG9AY29t YmF0LmNvbS5icj6IWwQTEQIAGwUCP2ymPAYLCQgHAwIDFQIDAxYCAQIeAQIXgAAK CRDlbFd4k92tdCi4AJ9EyxOlZMrAdINGlB6GBs9/jG3omwCfdLbqML4sXLCMoXU/ dJNLLC+lBSK5AQ0EP2ymQBAEAL5xjfRLFgxBVEiBK3Kr+1y75euY5nKC8H0CJy93 w0YTB2E3DMVNFBX6woj7jnoW5+F+/a0+iVfOgkHWeGbvE7ZghCphrb4AOa2j3DHA eP2GNQarNEqP1v3RYa8e7WNEUx/RVnhxeW7XMsX7ylGx9e8QTTwAEFFc3gUoiYTn 2ljrAAMFA/4gDsxYp68UWniwzSCFgq16a6ATscTF45aPq0ROkUepWIMKY2/X/FQc e4FMSzRWC38fKILrkxhoaWIx1r2MFUiQtk3ItdXSDh5u2D/U+nHQqhYcgqjTzsfK 659HXw5GzmzbpueKymD6wsU1uYf9sq7dYxqQBJMleNB6vZi+ODZmRYhGBBgRAgAG BQI/bKZAAAoJEOVsV3iT3a1098cAn0BnS7NFu98qLc7XQL//rBh94EqzAJ9KGwCF K15S/3LqsNGqQEMRdzdQaw== =R5pw -----END PGP PUBLIC KEY BLOCK----- --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.521 / Virus Database: 319 - Release Date: 23/9/2003 From ABurnett at saneline.org Mon Sep 29 05:22:13 2003 From: ABurnett at saneline.org (Andrew Burnett) Date: Mon, 29 Sep 2003 10:22:13 +0100 Subject: [VPN] VPN Help! Message-ID: Hi I am working for the Mental Health charity SANE, helping out on their IT side. My experience is as a Business Analyst/Project Manager in Application Development not Networking. However, they have very little IT knowledge and it has fallen to me to investigate their network setup and its performance. I wonder if you can help me - or point me in a better direction... We have recently changed to an ASDL connection from ISDN. We have 3 sites linked via a VPN and have not noticed an improvement in performance since this changed. We expected that there would be an improvement but have been told that the speed was not expected to have been improved by this change. Having read a bit of the "Weakest Link" link on your website, I would think that ASDL would speed things up - Is this correct? Regards Andy Burnett From rmalayter at bai.org Mon Sep 29 17:52:48 2003 From: rmalayter at bai.org (Ryan Malayter) Date: Mon, 29 Sep 2003 16:52:48 -0500 Subject: [VPN] VPN Help! Message-ID: <792DE28E91F6EA42B4663AE761C41C2AF3D43F@cliff.bai.org> Asymmetric DSL connections are typically 768 kbps or 1.5 MBps in the "downstream" direction and 128kbps or 256 kbps in the "upstream" direction. Since at least one of your sites is always sending "upstream" in a VPN link, you're limited to the upstream bandwidth for your VPN throughput. If you have 128 Kbps as your upstream bandwidth on your ADSL connections, you're getting the same VPN speed as ISDN, although web surfing and other downloading activities outside of the VPN will be faster. So, I think you'll either want to look at switching your links to business-class Symmetric DSL (SDSL), which typically 384 kbps in both directions, or at least moving to faster ADSL that has 256kbps or more upstream bandwidth. As long as you stay with the same ISP, this switch shouldn't be too expensive. Regards, Ryan Malayter Sr. Network & Database Administrator Bank Administration Institute Chicago, Illinois, USA PGP Key: http://www.malayter.com/pgp-public.txt ::::::::::::::::::::::::::::::: Politics is supposed to be the second-oldest profession. I have come to realize that it bears a very close resemblance to the first. -Ronald Reagan -----Original Message----- From: Andrew Burnett [mailto:ABurnett at saneline.org] Sent: Monday, September 29, 2003 4:22 AM To: vpn at lists.shmoo.com Subject: [VPN] VPN Help! Hi I am working for the Mental Health charity SANE, helping out on their IT side. My experience is as a Business Analyst/Project Manager in Application Development not Networking. However, they have very little IT knowledge and it has fallen to me to investigate their network setup and its performance. I wonder if you can help me - or point me in a better direction... We have recently changed to an ASDL connection from ISDN. We have 3 sites linked via a VPN and have not noticed an improvement in performance since this changed. We expected that there would be an improvement but have been told that the speed was not expected to have been improved by this change. Having read a bit of the "Weakest Link" link on your website, I would think that ASDL would speed things up - Is this correct? Regards Andy Burnett _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From friedberg at comets.com Mon Sep 29 18:01:31 2003 From: friedberg at comets.com (Carl Friedberg) Date: Mon, 29 Sep 2003 18:01:31 -0400 Subject: [VPN] VPN Help! Message-ID: <01L18V1VXQZ600G8KA@mail1.fwd.com> As in all things, "it depends" ADSL by itself does not say what speed you are getting (or supposed to get). There's a cheaper version, limited to 384K down, perhaps as little as 64 or128kbpis upstream (compared with ISDN and its 128k/128k). You can get ADSL at 1500 kbps down, 384 up, but it will cost more, most likely. Go TO DSLREPORTS.COM, look for OUR TOOLS, look for SPEED TESTS, and see what you are actually getting (which is most likely less than the rated or advertised speeds 00 those are not guaranteed by most providers. Carl > -----Original Message----- > From: Andrew Burnett [mailto:ABurnett%saneline.org at fwd.com] > Sent: Monday, September 29, 2003 5:22 AM > To: vpn > Subject: [VPN] VPN Help! > > > Hi > > I am working for the Mental Health charity SANE, helping out > on their IT side. My experience is as a Business > Analyst/Project Manager in Application Development not Networking. > > However, they have very little IT knowledge and it has fallen > to me to investigate their network setup and its performance. > I wonder if you can help me - or point me in a better direction... > > We have recently changed to an ASDL connection from ISDN. We > have 3 sites linked via a VPN and have not noticed an > improvement in performance since this changed. We expected > that there would be an improvement but have been told that > the speed was not expected to have been improved by this > change. Having read a bit of the "Weakest Link" link on your > website, I would think that ASDL would speed things up - Is > this correct? > > Regards > > Andy Burnett > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From jef at linuxbe.org Tue Sep 30 07:02:10 2003 From: jef at linuxbe.org (Jean-Francois Dive) Date: Tue, 30 Sep 2003 13:02:10 +0200 Subject: [VPN] FreeSWAN CA 2.02 x PIX - Trouble in phase 2 In-Reply-To: References: Message-ID: <1064919730.725.26.camel@gardafou> you dont see the answer from the PIX, sounds like the problem is in the PIX or freeswan side p2 parameter negociation. I would have expected the PIX to send back an informational message. Send us the PIX log's / config related to IPSec. Check that the selector (proxy identities in cisco terms) do match properly. JeF On Sun, 2003-09-28 at 01:22, Alberto Fabiano wrote: > Mrs, > > After an exhausting research for Google and reading of several materials, > the conclusion that I am needing help urgently arrive! : -) > > I have a FreeSWan CA 2.02 and am trying to stablish a tunnel with a PIX > through 3DES, MD5, IKE dh 2, using PSK the some days and am not I obtaining > success in the phase 2 of IPSec, will it be that anybody could feel a help? > > In an initial moment, I got to close VPN (phase 1 and 2) and I made some > tests without a lot of headaches, but now, I don't know because am not > getting more to close. > > It follows the parts of my ipsec.conf below, whack status and related to > this tunnel. > > > # cat /var/chroot-ipsec/etc/ipsec.conf > > # > # Default Configuration File for FreeS/WAN IPSEC > # > > config setup > interfaces="ipsec0=eth0" > klipsdebug=none > plutodebug=all > dumpdir= > manualstart= > fragicmp=no > packetdefault=drop > hidetos=yes > uniqueids=yes > overridemtu=16260 > nocrsend=yes > nat_traversal=yes > keep_alive=60 > > conn %default > rekeymargin=9m > rekeyfuzz=100% > keyingtries=0 > > conn VPN_5 > type=tunnel > keyexchange=ike > pfsgroup=modp1024 > pfs=yes > auto=start > authby=secret > ike=3des-md5-modp1024 > esp=3des-md5-96 > keylife=28800 > ikelifetime=2880 > compress=no > left=192.168.1.22 > leftsubnet=192.168.1.5/255.255.255.255 > leftnexthop=10.10.1.119 > right=10.10.18.143 > rightsubnet=10.10.18.146/255.255.255.255 > rightnexthop=10.10.38.10 > leftupdown="/opt/_updown 2>/tmp/log 1>/tmp/log" > rightupdown="/opt/_updown 2>/tmp/log 1>/tmp/log" > leftid=192.168.1.22 > rightid=10.10.18.143 > > > # chroot /var/chroot-ipsec/ /usr/local/lib/ipsec/whack --status > > 000 interface ipsec0/eth0 192.168.1.22 > 000 interface ipsec0/eth0 192.168.1.22 > 000 > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, > keysizemax=168 > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, > keysizemin=128,keysizemax=128 > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, > keysizemin=160, keysizemax=160 > 000 > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 > 000 > 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,6,36} > trans={0,6,96} attrs={0,6,160} > 000 > > 000 "VPN_5": > 192.168.1.5/32===192.168.1.22---10.10.1.119...10.10.38.10---10.10.18.143===1 > 0.10.18.146/32 > 000 "VPN_5": ike_life: 2880s; ipsec_life: 28800s; rekey_margin: 540s; > rekey_fuzz: 100%; keyingtries: 0 > 000 "VPN_5": policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth0; trap erouted > 000 "VPN_5": newest ISAKMP SA: #1; newest IPsec SA: #0; eroute owner: #0 > 000 "VPN_5": IKE algorithms wanted: 5_000-1-2, flags=-strict > 000 "VPN_5": IKE algorithms found: 5_192-1_128-2, > 000 "VPN_5": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024 > 000 "VPN_5": ESP algorithms wanted: 3_000-1, ; pfsgroup=2; flags=strict > 000 "VPN_5": ESP algorithms loaded: 3_168-1_128, > 000 > 000 #6: "VPN_5" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT > in 4s > 000 #1: "VPN_5" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in > 1673s; newest ISAKMP > 000 > > > Awaiting help for my problem... > > Thanks for all!!! > - Kind Regards. > > > > Alberto Fabiano Caires de Medeiros > -------------------------------------------------------------------------- > e-mail: alberto at combat.com.br > -------------------------------------------------------------------------- > > > -----BEGIN PGP PUBLIC KEY BLOCK----- > > mQGiBD9spjwRBACQ2aQEqcQyGxaoNX4Zvk/9v6fCxyPWAcBQSSiPjJyi3cXa9kLB > XsQjdgBY90x45wFwI0QwneWFCP364YZXdo7ZRPiLjI+qV6expjCIIm/LXi1LphwK > 6l87HYbm74a2T6mdxRmxhCrgsA+ezSCEkMA9YolPw2r+ufvp59IrrYHrcwCg5aTW > LbsbVQ2i+beAfpFPw8muW1kEAINssb8RXbilwIL6k7ZPbHQghkTIM7iIK5eGwMOx > lYtmzoA2tCzJla0tp9G1ls2hW12d6io80P5jbYpx+17nhPV49oVA6yKGJNCaTAzi > uyRxUYOYhSyS8PXxOPp600NGJ8qiX53JEPKPLxoiF/HG6EWihEIDFqvI11mIEcfi > WFTDA/0SKjjkKt+S1fk42AbnE39pz1Kn6av2hYz00DX4XensZcnmmcbA1eO0a+TP > foTl0x2ipHN7eymcVudDVU6fbQu18SJa+rSutW3GBmreRDi0NQ4vilCAVueyQpVP > WS/jnOcw+uQp2PRkY8ylKxIOcgQZqy56jCEcbFH/eTxTfqA6c7REQWxiZXJ0byBG > YWJpYW5vIENhaXJlcyBkZSBNZWRlaXJvcyAoazRsMXBzMCkgPGFsYmVydG9AY29t > YmF0LmNvbS5icj6IWwQTEQIAGwUCP2ymPAYLCQgHAwIDFQIDAxYCAQIeAQIXgAAK > CRDlbFd4k92tdCi4AJ9EyxOlZMrAdINGlB6GBs9/jG3omwCfdLbqML4sXLCMoXU/ > dJNLLC+lBSK5AQ0EP2ymQBAEAL5xjfRLFgxBVEiBK3Kr+1y75euY5nKC8H0CJy93 > w0YTB2E3DMVNFBX6woj7jnoW5+F+/a0+iVfOgkHWeGbvE7ZghCphrb4AOa2j3DHA > eP2GNQarNEqP1v3RYa8e7WNEUx/RVnhxeW7XMsX7ylGx9e8QTTwAEFFc3gUoiYTn > 2ljrAAMFA/4gDsxYp68UWniwzSCFgq16a6ATscTF45aPq0ROkUepWIMKY2/X/FQc > e4FMSzRWC38fKILrkxhoaWIx1r2MFUiQtk3ItdXSDh5u2D/U+nHQqhYcgqjTzsfK > 659HXw5GzmzbpueKymD6wsU1uYf9sq7dYxqQBJMleNB6vZi+ODZmRYhGBBgRAgAG > BQI/bKZAAAoJEOVsV3iT3a1098cAn0BnS7NFu98qLc7XQL//rBh94EqzAJ9KGwCF > K15S/3LqsNGqQEMRdzdQaw== > =R5pw > -----END PGP PUBLIC KEY BLOCK----- > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.521 / Virus Database: 319 - Release Date: 23/9/2003 > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From anandbaghel at hotmail.com Tue Sep 30 11:50:20 2003 From: anandbaghel at hotmail.com (Anand Baghel) Date: Tue, 30 Sep 2003 11:50:20 -0400 Subject: [VPN] VPN Help Message-ID: Hi, Please help me on solving this problem. Forgive me if this was discussed before, but I do not see a way to search the archives. I am using VPN between two offices for transferring data. I have a single machine that would need to be able to have multiple machines connected to it. I have Office1 and Office2. I have VPN server in Office1 and VPN client at Office2 on Machine1. Office 2 has other machines on LAN. Lets say Machine2 , Machine3, Machine4, Machine5....... Office1 Office2 PC-1------------|-------Machine1 |-------Machine2 |-------Machine3 Here is the problem, when Machine1 is connected to the VPN server at Office1, it disconnects itself with other machines i.e. Machine1 looses connection with Machine2, Machine3......... I am using CISCO PIX server / firewall at Office1 and VPN CISCO PIX Client at Office2. Office 2 does not have any firewall. Operation System Windows 2000. Please tell me what configuration I should make so that it does not happen. Anand S. Baghel _________________________________________________________________ Add MSN 8 Internet Software to your existing Internet access and enjoy patented spam protection and more. Sign up now! http://join.msn.com/?page=dept/byoa From losttoy2000 at yahoo.co.uk Tue Sep 30 15:01:25 2003 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Tue, 30 Sep 2003 20:01:25 +0100 (BST) Subject: [VPN] VPN Help In-Reply-To: Message-ID: <20030930190125.53294.qmail@web86306.mail.ukl.yahoo.com> Look up the split-tunneling feature on Cisco PIX. http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns27/networking_solutions_white_paper09186a0080186fcf.shtml You might need to change your Cisco VPN client too. HTH, Siddhartha --- Anand Baghel wrote: > Hi, > > Please help me on solving this problem. Forgive me > if this was discussed > before, but I do not see a way to search the > archives. > > I am using VPN between two offices for transferring > data. I have a single > machine that would need to be able to have multiple > machines connected to > it. > > I have Office1 and Office2. I have VPN server in > Office1 and VPN client at > Office2 on Machine1. Office 2 has other machines on > LAN. Lets say Machine2 , > Machine3, Machine4, Machine5....... > > Office1 Office2 > PC-1------------|-------Machine1 > |-------Machine2 > |-------Machine3 > > > Here is the problem, when Machine1 is connected to > the VPN server at > Office1, it disconnects itself with other machines > i.e. Machine1 looses > connection with Machine2, Machine3......... > > I am using CISCO PIX server / firewall at Office1 > and VPN CISCO PIX Client > at Office2. Office 2 does not have any firewall. > Operation System Windows 2000. > > Please tell me what configuration I should make so > that it does not happen. > > Anand S. Baghel > > _________________________________________________________________ > Add MSN 8 Internet Software to your existing > Internet access and enjoy > patented spam protection and more. Sign up now! > http://join.msn.com/?page=dept/byoa > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://mail.messenger.yahoo.co.uk From jmondaca at entelsa.entelnet.bo Tue Sep 30 15:11:00 2003 From: jmondaca at entelsa.entelnet.bo (jmondaca at entelsa.entelnet.bo) Date: Tue, 30 Sep 2003 15:11:00 -0400 Subject: [VPN] VPN PIX-FreeSwan established but no connection Message-ID: Looking the IPSEC and ISAKMP debugs at the PIX, the VPN between this boxes are already established but when someone behind the FreeSwan network tries to connect to the inside PIX network there are no results (no pings, no telnets). If someone have any idea what could it be please. Jorge Mondaca From rmalayter at bai.org Tue Sep 30 18:43:44 2003 From: rmalayter at bai.org (Ryan Malayter) Date: Tue, 30 Sep 2003 17:43:44 -0500 Subject: [VPN] VPN Help Message-ID: <792DE28E91F6EA42B4663AE761C41C2A01115296@cliff.bai.org> What you want to do is called "split tunneling". It's not very secure, but I think it is probably supported by the Cisco VPN client software. Look for that in the help fiels of your Cisco VPN client software. A better solution might be a hardware VPN device at the gateway level of both Office 1 and Office 2, which would eliminate the need for client software altogether. -----Original Message----- From: Anand Baghel [mailto:anandbaghel at hotmail.com] Sent: Tuesday, September 30, 2003 10:50 AM To: vpn at lists.shmoo.com Subject: [VPN] VPN Help Hi, Please help me on solving this problem. Forgive me if this was discussed before, but I do not see a way to search the archives. I am using VPN between two offices for transferring data. I have a single machine that would need to be able to have multiple machines connected to it. I have Office1 and Office2. I have VPN server in Office1 and VPN client at Office2 on Machine1. Office 2 has other machines on LAN. Lets say Machine2 , Machine3, Machine4, Machine5....... Office1 Office2 PC-1------------|-------Machine1 |-------Machine2 |-------Machine3 Here is the problem, when Machine1 is connected to the VPN server at Office1, it disconnects itself with other machines i.e. Machine1 looses connection with Machine2, Machine3......... I am using CISCO PIX server / firewall at Office1 and VPN CISCO PIX Client at Office2. Office 2 does not have any firewall. Operation System Windows 2000. Please tell me what configuration I should make so that it does not happen. Anand S. Baghel _________________________________________________________________ Add MSN 8 Internet Software to your existing Internet access and enjoy patented spam protection and more. Sign up now! http://join.msn.com/?page=dept/byoa _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn