From s0n123 at hotmail.com Fri Oct 1 05:07:03 2004 From: s0n123 at hotmail.com (Son Phan) Date: Fri, 01 Oct 2004 11:07:03 +0200 Subject: [VPN] Can IPSec ESP be nested in another ESP? Message-ID: Thanks for many infomative answers! Br, Son =============== On Tue, Sep 28, 2004 at 09:52:59AM +0200, Son Phan wrote: >Hello, > >I understand that AH & ESP mode can be applied together for the same IP >packet. > >However I don't know whether two ESP can be nested. The case is as below: > >PC-------------------------------VPN GW-------------Application Server (AS) ><<------ESP tunnel mode----->> ><<-------------ESP transport mode ------------------->> > >PC has remote access to some closed domain using via VPN GW. ESP tunnel >mode is used here. >One of the application running on this PC want to use a service provided by >an AS within this closed domain. However this service mandates the client >to use ESP transmode mode to contact it. > >Can this scenario works? >Any extra requirement toward the IPSec implementation on PC? > >Thanks, Son _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail From mail at meiremania.com Fri Oct 1 17:51:47 2004 From: mail at meiremania.com (MeireMania.com) Date: Fri, 1 Oct 2004 23:51:47 +0200 Subject: [VPN] freeswan communication In-Reply-To: <038501c4a634$4e6c3100$49caa8c0@caris.priv> Message-ID: <001e01c4a800$dadc3ef0$6663a8c0@saddam> This only depends on how you flavor your IPSEC settings in both -----Original Message----- From: vpn-bounces+mail=meiremania.com at lists.shmoo.com [mailto:vpn-bounces+mail=meiremania.com at lists.shmoo.com] On Behalf Of Peter Marshall Sent: woensdag 29 september 2004 16:55 To: vpn at lists.shmoo.com Subject: [VPN] freeswan communication I just have a "will it work" question. I was wondering if anyone knows any reason that freeswan on rh would not communication with ipsec on openbsd ... I am just in the process of recompiling my Linux kernel with freeswan and wanted to know if any one has had problems with this configuration or know off hand weather it should or should not work. Thanks. Peter _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From s0n123 at hotmail.com Mon Oct 4 09:46:28 2004 From: s0n123 at hotmail.com (Son Phan) Date: Mon, 04 Oct 2004 15:46:28 +0200 Subject: [VPN] Are VPN GW products able to notify the tunnel closing toward 3rd party box. Message-ID: Hello, I would like to implement a configuration like this: PC[Appl.Client/VPN client] <==VPN tunnel ==>VPN GW <-------->Appl.Server application client <--> Appl.Server connection would run ontop of VPN tunnel transparently. However Application Server would like to have at least the information from VPN GW when the tunnel is closed on per remote IP address level (to identify the PC). Do current VPN GW products in the market support this kind of notification toward 3rd party network elements? If yes, what is the mechanism used there? Thanks, Son _________________________________________________________________ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail From jeeten at subisu.net.np Thu Oct 14 05:44:05 2004 From: jeeten at subisu.net.np (jeetendra) Date: Thu, 14 Oct 2004 15:29:05 +0545 Subject: [VPN] New to VPN Message-ID: <000801c4b1d2$58713840$9a93aeca@ftp> I am interested to know about vpn specially IPsec tunnel and has to work in cable internate connection.How can we connect vpn through different countries. I mean one vpn router is in cable connection from one ISP and the other vpn router is connected to other ISP with dialup ISP or by other means. best wishes jeeten -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20041014/73b613d6/attachment.htm From peter.marshall at caris.com Fri Oct 15 13:41:47 2004 From: peter.marshall at caris.com (Peter Marshall) Date: Fri, 15 Oct 2004 14:41:47 -0300 Subject: [VPN] freeswan and ipsec Message-ID: <0f1101c4b2de$3f18cbd0$49caa8c0@caris.priv> I am still having problems getting freeswan (on rh9) to work properly with ipsec on openbsd. It works perfect when I run it between 2 rh9 boxes ... however, I need it to work between rh9 and openbsd ..... On the openbsd console after I try to connect the two I get these messages (A.B.C.102 is a routable Internet IP addreses) Oct 15 11:29:04 mailtestlx isakmpd[7395]: message_recv: invalid cookie(s) 19708ba516163430 5429d55714d51b23 Oct 15 11:29:04 mailtestlx isakmpd[7395]: dropped message from A.B.C.102 port 500 due to notification type INVALID_COOKIE Oct 15 11:29:27 mailtestlx isakmpd[7395]: transport_send_messages: giving up on message 0x3c05da00 Oct 15 11:31:27 mailtestlx isakmpd[7395]: transport_send_messages: giving up on message 0x3c05da00 Oct 15 11:33:27 mailtestlx isakmpd[7395]: transport_send_messages: giving up on message 0x3c05da00 Oct 15 11:43:27 mailtestlx last message repeated 5 times On the Rh9 box, I get this in the /var/log/secure file (A.B.C.? and E.F.G.? are routable Internet IP addreses) Oct 15 14:19:50 pmarshallx pluto[17009]: "bsdtest" #69: cannot respond to IPsec SA request because no connection is known for A.B.C.0/22===A.B.C.102...E.F.G.33===E.F.G.0/26 Oct 15 14:19:57 pmarshallx pluto[17009]: "bsdtest" #69: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xf619efa3 (perhaps this is a duplicated packet) Oct 15 14:20:06 pmarshallx pluto[17009]: "bsdtest" #69: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xf619efa3 (perhaps this is a duplicated packet) This is that I type on the linux box to start ipsec [root at pmarshallx log]# /etc/init.d/ipsec start ipsec_setup: Starting FreeS/WAN IPsec 2.06... [root at pmarshallx log]# ipsec auto --up bsdtest 112 "bsdtest" #2: STATE_QUICK_I1: initiate 004 "bsdtest" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x707d73c4 <0xb492011f} This is what I type on the bsdbox # isakmpd # This is the ipsec.conf file on the linux box # basic configuration config setup interfaces="ipsec0=eth0" # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=all # plutodebug=dns conn bsdtest #auto=start auto=add type=tunnel keyexchange=ike left=E.F.G.33 leftsubnet=192.168.200.0/21 leftnexthop=E.F.G.3 right=A.B.C.102 rightsubnet=10.0.0.0/24 rightnexthop=A.B.192.1 authby=secret pfs=yes This is the isakmpd.conf file on the openbsd box [General] Listen-on=E.F.G.33 [Phase 1] A.B.C.102= ISAKMP-peer-B [Phase 2] Connections= IPsec-AB [ISAKMP-peer-B] Phase = 1 Transport = udp Local-address = E.F.G.33 Address = A.B.C.102 Configuration = Default-main-mode Authentication = mypassword [IPsec-AB] Phase = 2 ISAKMP-peer = ISAKMP-peer-B Configuration = Default-quick-mode Local-ID = Net-LOCAL Remote-ID = Net-HOST2 [Default-main-mode] DOI = IPSEC EXCHANGE_TYPE = ID_PROT Transforms = 3DES-SHA [Default-quick-mode] DOI = IPSEC EXCHANGE_TYPE = QUICK_MODE Suites = QM-ESP-AES-SHA-PFS-SUITE [Net-LOCAL] ID-type = IPV4_ADDR_SUBNET Network = E.F.G.33 Netmask = 255.255.255.192 [Net-HOST2] ID-type = IPV4_ADDR_SUBNET Network = A.B.C.102 Netmask = 255.255.252.0 ~ Any Help Would be greatly appriciated. Thanks Peter Marshall From peter.marshall at caris.com Fri Oct 15 13:56:42 2004 From: peter.marshall at caris.com (Peter Marshall) Date: Fri, 15 Oct 2004 14:56:42 -0300 Subject: [VPN] Re: freeswan and ipsec Message-ID: <0f1601c4b2e0$54609250$49caa8c0@caris.priv> I should also mention, that the conection does get established. I can also, view windows networking stuff. However, I do not know why I am getting the errors. Also, I can not seem to do some other things over the connection. For example. One site runs an internet app. If I try to connecect to it when the two cpn servers are redhat boxes, it works. When I use the BSD boxes, It does not. I get the following in my /var/log/messages file on my companies internal firewall Oct 15 14:53:43 radium kernel: FORWARD REJECT IN=eth1 OUT=eth0 SRC=205.174.164.33 DST=192.168.201.22 LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=25774 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.201.22 DST=10.0.0.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=126 ID=18062 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1444 My current setup has the vpn server on a routable IP address between two firewalls (DMZ). The webpage I am trying to reach from the remote site is behind the internal firewall on a 192.168 number. Please note, that this works fine when I use two linux boxes as the vpn servers. ipsec verify on the linux box gives this [root at pmarshallx log]# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux FreeS/WAN 2.06 Checking for IPsec kernel support: found KLIPS [OK] Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking tun0x1002 at E.F.G.33 from 10.0.0.0/24 to 192.168.200.0/21 [FAILED] SNAT from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 10.0.0.0/24 -> 192.168.200.0/21 NATting could potentially kill some of your existing tunnels. For more information, visit the following URL: http://lists.freeswan.org/pipermail/users/2002-August/012918.html Opportunistic Encryption DNS checks: Looking for TXT in forward map: pmarshallx [MISSING] Does the machine have at least one non-private address? [OK] Looking for TXT in reverse map: 102.195.195.69.in-addr.arpa. [MISSING] Thanks again. Peter ----- Original Message ----- From: "Peter Marshall" To: Sent: Friday, October 15, 2004 2:41 PM Subject: freeswan and ipsec I am still having problems getting freeswan (on rh9) to work properly with ipsec on openbsd. It works perfect when I run it between 2 rh9 boxes ... however, I need it to work between rh9 and openbsd ..... On the openbsd console after I try to connect the two I get these messages (A.B.C.102 is a routable Internet IP addreses) Oct 15 11:29:04 mailtestlx isakmpd[7395]: message_recv: invalid cookie(s) 19708ba516163430 5429d55714d51b23 Oct 15 11:29:04 mailtestlx isakmpd[7395]: dropped message from A.B.C.102 port 500 due to notification type INVALID_COOKIE Oct 15 11:29:27 mailtestlx isakmpd[7395]: transport_send_messages: giving up on message 0x3c05da00 Oct 15 11:31:27 mailtestlx isakmpd[7395]: transport_send_messages: giving up on message 0x3c05da00 Oct 15 11:33:27 mailtestlx isakmpd[7395]: transport_send_messages: giving up on message 0x3c05da00 Oct 15 11:43:27 mailtestlx last message repeated 5 times On the Rh9 box, I get this in the /var/log/secure file (A.B.C.? and E.F.G.? are routable Internet IP addreses) Oct 15 14:19:50 pmarshallx pluto[17009]: "bsdtest" #69: cannot respond to IPsec SA request because no connection is known for A.B.C.0/22===A.B.C.102...E.F.G.33===E.F.G.0/26 Oct 15 14:19:57 pmarshallx pluto[17009]: "bsdtest" #69: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xf619efa3 (perhaps this is a duplicated packet) Oct 15 14:20:06 pmarshallx pluto[17009]: "bsdtest" #69: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xf619efa3 (perhaps this is a duplicated packet) This is that I type on the linux box to start ipsec [root at pmarshallx log]# /etc/init.d/ipsec start ipsec_setup: Starting FreeS/WAN IPsec 2.06... [root at pmarshallx log]# ipsec auto --up bsdtest 104 "bsdtest" #3: STATE_MAIN_I1: initiate 106 "bsdtest" #3: STATE_MAIN_I2: sent MI2, expecting MR2 108 "bsdtest" #3: STATE_MAIN_I3: sent MI3, expecting MR3 004 "bsdtest" #3: STATE_MAIN_I4: ISAKMP SA established 112 "bsdtest" #4: STATE_QUICK_I1: initiate 004 "bsdtest" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe8dfa4d8 <0xb4920120} This is what I type on the bsdbox # isakmpd # This is the ipsec.conf file on the linux box # basic configuration config setup interfaces="ipsec0=eth0" # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=all # plutodebug=dns conn bsdtest #auto=start auto=add type=tunnel keyexchange=ike left=E.F.G.33 leftsubnet=192.168.200.0/21 leftnexthop=E.F.G.3 right=A.B.C.102 rightsubnet=10.0.0.0/24 rightnexthop=A.B.192.1 authby=secret pfs=yes This is the isakmpd.conf file on the openbsd box [General] Listen-on=E.F.G.33 [Phase 1] A.B.C.102= ISAKMP-peer-B [Phase 2] Connections= IPsec-AB [ISAKMP-peer-B] Phase = 1 Transport = udp Local-address = E.F.G.33 Address = A.B.C.102 Configuration = Default-main-mode Authentication = mypassword [IPsec-AB] Phase = 2 ISAKMP-peer = ISAKMP-peer-B Configuration = Default-quick-mode Local-ID = Net-LOCAL Remote-ID = Net-HOST2 [Default-main-mode] DOI = IPSEC EXCHANGE_TYPE = ID_PROT Transforms = 3DES-SHA [Default-quick-mode] DOI = IPSEC EXCHANGE_TYPE = QUICK_MODE Suites = QM-ESP-AES-SHA-PFS-SUITE [Net-LOCAL] ID-type = IPV4_ADDR_SUBNET Network = E.F.G.33 Netmask = 255.255.255.192 [Net-HOST2] ID-type = IPV4_ADDR_SUBNET Network = A.B.C.102 Netmask = 255.255.252.0 ~ Any Help Would be greatly appriciated. Thanks Peter Marshall From MStavale at airmethods.com Wed Oct 20 10:46:58 2004 From: MStavale at airmethods.com (Marc Stavale) Date: Wed, 20 Oct 2004 08:46:58 -0600 Subject: [VPN] Pix 515E VPN tunnel Via Cisco Client 4.0 thru a Nattted Message-ID: Well to anyone who is still interested, I did get my Pix Vpn tunnel up and working. Seems the DSL router I had at the ol homestead was faulty. After checking with the ISP, they said they were not blocking any IPSEC packets so since I knew my Pix config was good for establishing a tunnel, I decided to return my Qwest DSL router and get it replaced, even though it said it was forwarding my packets and doing passthrough I didn't believe it was. With a new modem (same model), I configured it and lo and behold it started working. Same OS and config. Just new router. Ah the trials and tribulations of testing. Marc Stavale Network Engineer Airmethods 7211 S. Peoria St. Englewood Co. 80112 303-792-7491 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20041020/7c35cf8c/attachment.htm From tbird at precision-guesswork.com Thu Oct 21 00:14:09 2004 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 20 Oct 2004 21:14:09 -0700 Subject: [VPN] IPsec and 802.1x Message-ID: <00a901c4b724$6b82b3d0$6602a8c0@lindesfarne> Hi all -- I'm writing a new course on 802.1x and LAN security and all that good stuff, and I've developed at least one question I'm hoping the list can help with. Are any of you using 802.1x in conjunction with IPsec or other remote access VPN configurations? If so, why? When did you start integrating it -- in particular, did you use 802.1x from the beginning of your VPN use? If you've added it to an existing VPN implementation, what pushed you in that direction? If you don't want to discuss this on list, please send answers to me privately and I'll summarize for the group. thanks very much - tbird From bjaber at ipass.com Thu Oct 21 15:30:06 2004 From: bjaber at ipass.com (Basim Jaber) Date: Thu, 21 Oct 2004 12:30:06 -0700 Subject: [VPN] IPsec and 802.1x Message-ID: <53A5D324B48C8C468F0A44D13E6BB2629D6182@exchange2.corp.ipass.com> We have a lab environment here with all sorts of WiFi security configurations. We've tested 802.1x PEAP, LEAP, EAP-TTLS all in conjunction with operating an IPSec tunnel on top of the WiFi connection. ________________________________ Basim S. Jaber Senior Systems Engineer -- Field Sales (Americas) Senior Alliance Manager -- Technology Partner Alliances iPass, Inc. bjaber at iPass.com -----Original Message----- From: vpn-bounces+bjaber=ipass.com at lists.shmoo.com [mailto:vpn-bounces+bjaber=ipass.com at lists.shmoo.com] On Behalf Of Tina Bird Sent: Wednesday, October 20, 2004 9:14 PM To: vpn at lists.shmoo.com Subject: [VPN] IPsec and 802.1x Hi all -- I'm writing a new course on 802.1x and LAN security and all that good stuff, and I've developed at least one question I'm hoping the list can help with. Are any of you using 802.1x in conjunction with IPsec or other remote access VPN configurations? If so, why? When did you start integrating it -- in particular, did you use 802.1x from the beginning of your VPN use? If you've added it to an existing VPN implementation, what pushed you in that direction? If you don't want to discuss this on list, please send answers to me privately and I'll summarize for the group. thanks very much - tbird _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3022 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20041021/72ef3432/attachment.bin From evyncke at cisco.com Tue Oct 26 03:50:55 2004 From: evyncke at cisco.com (Eric Vyncke) Date: Tue, 26 Oct 2004 09:50:55 +0200 Subject: [VPN] IPsec and 802.1x In-Reply-To: <00a901c4b724$6b82b3d0$6602a8c0@lindesfarne> Message-ID: <5.1.0.14.2.20041026094802.03321510@127.0.0.1> Tina, We are using it internally for VPN from home for teleworkers. 802.1x (on plain wired Ethernet) is used in order to authenticate the employee who may then go inside the VPN to reach the corporate network. On the other, the spouse and the kids of the employee fail the 802.1x authentication and are then prevented to going 'inside' the VPN Regards -eric At 21:14 20/10/2004 -0700, Tina Bird wrote: >Hi all -- > >I'm writing a new course on 802.1x and LAN security and all that good stuff, >and I've developed at least one question I'm hoping the list can help with. >Are any of you using 802.1x in conjunction with IPsec or other remote access >VPN configurations? If so, why? When did you start integrating it -- in >particular, did you use 802.1x from the beginning of your VPN use? If >you've added it to an existing VPN implementation, what pushed you in that >direction? > >If you don't want to discuss this on list, please send answers to me >privately and I'll summarize for the group. > >thanks very much - tbird > >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn From jkerr at careresource.org Tue Oct 26 12:13:32 2004 From: jkerr at careresource.org (James Kerr) Date: Tue, 26 Oct 2004 12:13:32 -0400 Subject: [VPN] Simple VPN device Message-ID: <8B5E2136565F0F499954CEA6A54B1B89599E73@antares.biscayne.local> Hello, I am looking to buy a VPN appliance to put between our router and our firewall, preferably from Cisco as that is the brand of the router we are trying to connect to. Currently this is our situation. We are trying to establish a tunnel between our Firebox 700 with a sprint managed router to no avail. We are thinking that we should purchase something small from Cisco that would go between the firebox and our router that would better be able to connect. Only a handful of PCs on our network need to communicate through this tunnel so we don't need something as robust as a Cisco VPN concentrator, but I understand that they may make some smaller SoHo type VPN appliances that may do the trick. Does anyone have any recommendations to help resolve this issue? James From chris at zentrification.com Tue Oct 26 16:11:30 2004 From: chris at zentrification.com (Chris Dahms) Date: Tue, 26 Oct 2004 13:11:30 -0700 Subject: [VPN] VPN layout question Message-ID: <417EAF72.8080001@zentrification.com> Hi, I work for a small doctors office that has three locations across long island and we are looking to overhaul our network connection in conjunction with upgrading our practice management software. Currently we have a 'vpn' of sorts setup by point to point frame relay from two of the offices to the main office. The hardware 8+ years old and failing, so we need to replace everything. The network needs to provide secure communication between all three offices. The practice management software we uses resides on one server at our main location, and needs to be able to securely communicate with the other two offices. My question is with regard to the network toplogy. I was under the impression we could get a T1 to each site, buy cisco 2600 series routers for each office with a VPN module card, and set it up so that office 1 was on say 192.168.1.x, office 2 on 192.168.3.x and office 3 on 192.168.4.x and then when office 1 wanted to communicate with office 2, the packets from office 1 would be encrypted and routed by the vpn module over to the router at office 2 and sent to the appropriate machine. Then as a backup we could have dsl at each location hooked into the router, and if the t1 when down it would fail over to the dsl. The network consultants we contract with are recommending point to point t1's from each smaller office to the main office with the network server, and then having each office have a seperate t1 for an internet connection, in addition to the dsl failover. When I asked about the design I had in mind, they replied it was unsecure/unreliable but failed to explain why. My question is: is the network toplogy I have in mind feasible/reliable, or do we need point to point internet connections between the offices to establish the vpn ? thanks, chris From dan at linder.org Wed Oct 27 09:52:49 2004 From: dan at linder.org (Daniel Linder) Date: Wed, 27 Oct 2004 08:52:49 -0500 (CDT) Subject: [VPN] VPN layout question In-Reply-To: <417EAF72.8080001@zentrification.com> References: <417EAF72.8080001@zentrification.com> Message-ID: <20198.68.227.169.15.1098885169.squirrel@68.227.169.15> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I work for a small doctors office that has three locations across long > island and we are looking to overhaul our network connection in > conjunction with upgrading our practice management software. Currently > we have a 'vpn' of sorts setup by point to point frame relay from two of > the offices to the main office. The hardware 8+ years old and failing, > so we need to replace everything. ...snip... > The network consultants we contract with are recommending point to point > t1's from each smaller office to the main office with the network > server, and then having each office have a seperate t1 for an internet > connection, in addition to the dsl failover. When I asked about the > design I had in mind, they replied it was unsecure/unreliable but failed > to explain why. It sound like you're technical enough that the consultants should have tried to explain their concerns to you. It might be more of a question of *their* experience level with the solution you are requesting. And, I wouldn't put it past some consulting firms that have a vested interest in a higher priced P2P T1 solution if they are a potential reseller of those same T1 lines. > My question is: is the network toplogy I have in mind feasible/reliable, > or do we need point to point internet connections between the offices to > establish the vpn ? Where your company is in the field of medicine, the consultants concerns might have been about the possible risk of having a mis-configured VPN device allowing unencrypted customer medical data to traverse the Internet. (With the HIPPA regulations they could be worried about any leagle recourse should something happen and the finger pointing get back to them...but I digress) Technically, an encrypted VPN connection itself is more secure than a private P2P or FrameRelay network by definition. Unfortunatly, in the average non-technical persons mind, a private network is viewed as more secure since the data will presumably stay on a single carrier (probably never leave the state) and that one carriers employees are probably trustworthy with your data. To that same non-technical person, the VPN over the Internet could be handled by multiple providers and possibly have your data routed through multiple middle-man carriers, any one of which hold the (encrypted) data throughout its path. Basically the VPN vs private network boil down to a risk analysis. Either... A: If you have solid practices for security and network growth, then a VPN is a perfectly safe and secure solution for you. It will be cost effective if you add more sites, but the network technicians need to be dilligent in their network changes -- a mis-typed ACL could send out un-encrypted traffic. B: If you don't trust yourself or the people taking care of your network to be dillignet in the configuration and maintenance of your network, then the Private network would be a logical choice. It will probably cost more to add more sites, but there is a physical disconnect between the device handling the sensitive data and the device handling the Internet traffic. Dan - - - - - "I do not fear computer, I fear the lack of them." -- Isaac Asimov -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBf6gxNiBNyqUzGb8RAg4bAJ97C3Hyj0mfR2ipIex6I12Zl4gG3ACdELlS fCsxC1q8hpc0WT7fWPzQBCc= =/wFD -----END PGP SIGNATURE----- From waltr at umich.edu Wed Oct 27 10:37:41 2004 From: waltr at umich.edu (Walter Reynolds) Date: Wed, 27 Oct 2004 10:37:41 -0400 (EDT) Subject: [VPN] VPN layout question In-Reply-To: <417EAF72.8080001@zentrification.com> References: <417EAF72.8080001@zentrification.com> Message-ID: I am not sure where these consultants are from, but one of the main points of a VPN is that you do not need all those costly point-to-point links. Your scenario should work just fine. -- Walter Reynolds University of Michigan On Tue, 26 Oct 2004, Chris Dahms wrote: > Hi, > > I work for a small doctors office that has three locations across long > island and we are looking to overhaul our network connection in > conjunction with upgrading our practice management software. Currently > we have a 'vpn' of sorts setup by point to point frame relay from two of > the offices to the main office. The hardware 8+ years old and failing, > so we need to replace everything. > > The network needs to provide secure communication between all three > offices. The practice management software we uses resides on one server > at our main location, and needs to be able to securely communicate with > the other two offices. > > My question is with regard to the network toplogy. I was under the > impression we could get a T1 to each site, buy cisco 2600 series routers > for each office with a VPN module card, and set it up so that office 1 > was on say 192.168.1.x, office 2 on 192.168.3.x and office 3 on > 192.168.4.x and then when office 1 wanted to communicate with office 2, > the packets from office 1 would be encrypted and routed by the vpn > module over to the router at office 2 and sent to the appropriate > machine. Then as a backup we could have dsl at each location hooked into > the router, and if the t1 when down it would fail over to the dsl. > > The network consultants we contract with are recommending point to point > t1's from each smaller office to the main office with the network > server, and then having each office have a seperate t1 for an internet > connection, in addition to the dsl failover. When I asked about the > design I had in mind, they replied it was unsecure/unreliable but failed > to explain why. > > My question is: is the network toplogy I have in mind feasible/reliable, > or do we need point to point internet connections between the offices to > establish the vpn ? > > thanks, > chris > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > > From Dunnd at MSKCC.ORG Wed Oct 27 15:02:05 2004 From: Dunnd at MSKCC.ORG (Dunn, Denise/Finance) Date: Wed, 27 Oct 2004 15:02:05 -0400 Subject: [VPN] Audit Program for VPN? Message-ID: <705C9DB16EA4624B9F5EC588F8979C67018A0BB7@smskpexmbx1.mskcc.root.mskcc.org> Did you ever find a VPN audit program that you are willing to share? ===================================================================== Please note that this e-mail and any files transmitted with it may be privileged, confidential, and protected from disclosure under applicable law. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this communication or any of its attachments is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this message and deleting this message, any attachments, and all copies and backups from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20041027/eab9795a/attachment.htm