From son_ml at freemail.hu Mon Feb 7 18:41:58 2005 From: son_ml at freemail.hu (Son Phan) Date: Tue, 8 Feb 2005 00:41:58 +0100 (CET) Subject: [VPN] Is IP address spoofing possible with ESP transport mode? In-Reply-To: Message-ID: Hello IPSec folks, As far as I know IP header is not protected in ESP mode, so in transport mode the source IP may be modified. Imagine the following scenario: -Bad guy Bob setup an transport ESP SA with server S. The SA is identified by S's IP address, SPI and SA mode (ESP) -After setting up this SA, Bob send an IP packet protected with this SA's parameter, but put Victim Alice's IP address as into source IP address. As {dest_IPaddr, SPI, mode} trio point to the valid SA, the packet can be decrypted successfully. However the result will be a IP with fake source IP address. Question: -Can that case really happen or did I miss something? -There is a source address field in SA. Is it mandatory to check this value against the source IP address to protect the above case? I have some doubt about it as it can be wildcast in many cases. -Is there any measure to protect the case described here? Thanks in the advance, Son From rtwatson at gmail.com Mon Feb 7 21:11:58 2005 From: rtwatson at gmail.com (Travis Watson) Date: Mon, 07 Feb 2005 19:11:58 -0700 Subject: [VPN] Is IP address spoofing possible with ESP transport mode? In-Reply-To: References: Message-ID: <42081FEE.80101@gmail.com> Son, Enabling Perfect Forward Secrecy (PFS) will encrypt the entire packet in ESP--inculding the header. If you can't enable that, someone could see your src IPs and try to spoof packets, but it's far from a huge risk, IMHO. You have to get past phase1 to get to phase2, for starters. For phase1 (establishing the initial SA) the source IP address is sent in the clear, but there is no real alternative to that. Your device and the distant end device have to do an initial key exchange, so they have to know how to talk to each other and where the other end lives. It's a two-way handshake though, and the actual exchange of keys is done encrypted. A spoofed IP address in this case doesn't really do an attacker any good because the handshake would fail unless the guy knows the pre-share (or has a copy of the certificate), knows the parameters for both sides of the tunnel, and can route the spoofed IP address to a device he controls vs whoever controls the spoofed IP address. If that's the case, you have bigger problems than headers being sent in the clear. I understand your concern, and I'm not an uber-31337 4aXX0r so there may be a couple things I'm missing, but I wouldn't lose much sleep over it. Cheers, Travis Son Phan wrote: >Hello IPSec folks, > >As far as I know IP header is not protected in ESP mode, so in transport >mode the source IP may be modified. > >Imagine the following scenario: > >-Bad guy Bob setup an transport ESP SA with server S. The SA is >identified by S's IP address, SPI and SA mode (ESP) > >-After setting up this SA, Bob send an IP packet protected with this SA's >parameter, but put Victim Alice's IP address as into source IP address. >As {dest_IPaddr, SPI, mode} trio point to the valid SA, the packet can >be decrypted successfully. However the result will be a IP with fake >source IP address. > >Question: >-Can that case really happen or did I miss something? > >-There is a source address field in SA. Is it mandatory to check this value >against the source IP address to protect the above case? I have some >doubt about it as it can be wildcast in many cases. > >-Is there any measure to protect the case described here? > >Thanks in the advance, >Son >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn > > > > From losttoy2000 at yahoo.co.uk Tue Feb 8 02:48:31 2005 From: losttoy2000 at yahoo.co.uk (Siddhartha Jain) Date: Tue, 8 Feb 2005 07:48:31 +0000 (GMT) Subject: [VPN] Is IP address spoofing possible with ESP transport mode? In-Reply-To: Message-ID: <20050208074831.53642.qmail@web26010.mail.ukl.yahoo.com> The need for origin authenticity is to avoid man-in-the-middle attacks where an attacker sits in the middle of the conversation and *proxies* the connection. With ESP in trasnport mode, that isn't possible because the payload is encrypted so a man-in-the-middle wouldn't be able to grab the data. Spoofing IP addresses with Transport-mode ESP will only give you routing headaches ;) - Siddhartha (CISSP) --- Son Phan wrote: > Hello IPSec folks, > > As far as I know IP header is not protected in ESP > mode, so in transport > mode the source IP may be modified. > > Imagine the following scenario: > > -Bad guy Bob setup an transport ESP SA with server > S. The SA is > identified by S's IP address, SPI and SA mode (ESP) > > -After setting up this SA, Bob send an IP packet > protected with this SA's > parameter, but put Victim Alice's IP address as into > source IP address. > As {dest_IPaddr, SPI, mode} trio point to the valid > SA, the packet can > be decrypted successfully. However the result will > be a IP with fake > source IP address. > > Question: > -Can that case really happen or did I miss > something? > > -There is a source address field in SA. Is it > mandatory to check this value > against the source IP address to protect the above > case? I have some > doubt about it as it can be wildcast in many cases. > > -Is there any measure to protect the case described > here? ___________________________________________________________ ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com From stephen at dino.dnsalias.com Tue Feb 8 02:05:41 2005 From: stephen at dino.dnsalias.com (Stephen J. Bevan) Date: Mon, 7 Feb 2005 23:05:41 -0800 Subject: [VPN] Is IP address spoofing possible with ESP transport mode? In-Reply-To: References: Message-ID: <16904.25797.578525.490888@anakin.> Son Phan writes: [snip] > Question: [snip] > -There is a source address field in SA. Is it mandatory to check > this value against the source IP address to protect the above case? In general for transport mode the packet's source address must match the SA selector value for the SA indicated by the packet's SPI value. See See RFC 2401 section 5.2.1 step 2 for the gory details and exceptions. > I have some doubt about it as it can be wildcast in many cases. > > -Is there any measure to protect the case described here? Your scenario left out how Bob's SA was created (manually, via IKE, via some other keying protocol) and what values it contains so I don't know if there is a specific case or you are interested in or all variations. Either way, if spoofing is something you want to avoid then don't use a wildcard or range in an SA. This doesn't mean you can't have wildcards in any templates that are used to generate an SA, just not in the SA. See for example RFC 2401 section 4.4.1 which mentions how a SA with a single source address can result from a SPD entry with a wildcard address. From son_ml at freemail.hu Tue Feb 8 08:44:35 2005 From: son_ml at freemail.hu (Son Phan) Date: Tue, 8 Feb 2005 14:44:35 +0100 (CET) Subject: [VPN] Is IP address spoofing possible with ESP transport Message-ID: Thanks Stephen and others for helpful answers! Especially the reference to section 5.2.1 of RFC2401 was very useful. Br, Son ================= Stephen J. Bevan writes: > Son Phan writes: > [snip] > > Question: > [snip] > > -There is a source address field in SA. Is it mandatory to check > > this value against the source IP address to protect the above case? > > In general for transport mode the packet's source address must match > the SA selector value for the SA indicated by the packet's SPI value. > See See RFC 2401 section 5.2.1 step 2 for the gory details and > exceptions. > > > I have some doubt about it as it can be wildcast in many cases. > > > > -Is there any measure to protect the case described here? > > Your scenario left out how Bob's SA was created (manually, via IKE, > via some other keying protocol) and what values it contains so I don't > know if there is a specific case or you are interested in or all > variations. Either way, if spoofing is something you want to avoid > then don't use a wildcard or range in an SA. This doesn't mean you > can't have wildcards in any templates that are used to generate an SA, > just not in the SA. See for example RFC 2401 section 4.4. 1 which > mentions how a SA with a single source address can result from a SPD > entry with a wildcard address. > From stephen at dino.dnsalias.com Tue Feb 8 21:06:12 2005 From: stephen at dino.dnsalias.com (Stephen J. Bevan) Date: Tue, 8 Feb 2005 18:06:12 -0800 Subject: [VPN] Is IP address spoofing possible with ESP transport mode? In-Reply-To: <42081FEE.80101@gmail.com> References: <42081FEE.80101@gmail.com> Message-ID: <16905.28692.135290.70489@anakin.> Travis Watson writes: > Enabling Perfect Forward Secrecy (PFS) will encrypt the entire > packet in ESP--inculding the header. Enabling PFS has no impact on whether a IP header is encrypted or not; The outer header IP header is never encrypted in either transport or tunnel mode ESP (otherwise you couldn't route the packet) and the inner header is always encrypted in tunnel mode ESP regardless of whether PFS was used or not. > A spoofed IP address in this case doesn't really do an attacker any > good because the handshake would fail unless the guy knows the > pre-share (or has a copy of the certificate), That's true, however as I understand Son's description the attacker *does* know the pre-share or certificate and has already established a valid transport mode ESP connection to the server S. The intent of the attacker is then to pass off traffic on this connection as coming from someone else (Alice in Son's description) rather than the attacker. From ADiaz at t-systems.com Wed Feb 9 13:13:38 2005 From: ADiaz at t-systems.com (ADiaz at t-systems.com) Date: Wed, 9 Feb 2005 19:13:38 +0100 Subject: [VPN] IPSec tunnel failover Message-ID: VPN Wizards, I have been tasked to configure IPSec tunnels from a remote site (1751 w/Cisco Secure IOS) terminating on 2 different Nokia IP380 firewalls. The customer is requesting that the traffic be divided into the tunnels by certain traffic type. One tunnel will transport SAP, terminating on 1 firewall and the other tunnel will transport e-mail, miscelleanous traffic,terminating on the other firewall. They also are requesting that in the event that one tunnel fails the traffic of the failed tunnel be automatically re-routed to the other available tunnel. Can anyone let me know if this is feasible and how it is done. Do I need additional hardware or sofware to resolve this request? Thanks, al From stewart at Diplomat.co.uk Fri Feb 11 04:28:55 2005 From: stewart at Diplomat.co.uk (Stewart Harding) Date: Fri, 11 Feb 2005 09:28:55 -0000 Subject: [VPN] WindowsSP2 VPN problems Message-ID: <8920088B503580428B78619EAB92A7D3067D5D@winserver3.Diplomat.co.uk> Ever since we upgraded to SP2 all our VPNs will only stay open for about 60 seconds. I am having to use our 2003 server to VPN into our customers sites. As MS do not appear to be any nearer to a fix can you recommend a third party VPN client I can install that will work. Thanks Stewart Harding Diplomat Data Systems Ltd. Tel 01256 381656 Fax 01256 381571 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 10/02/2005 ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20050211/ffa199f2/attachment.htm From rtwatson at gmail.com Fri Feb 11 13:34:37 2005 From: rtwatson at gmail.com (Travis Watson) Date: Fri, 11 Feb 2005 11:34:37 -0700 Subject: [VPN] IPSec tunnel failover In-Reply-To: References: Message-ID: <420CFABD.5040203@gmail.com> ADiaz at t-systems.com wrote: >VPN Wizards, >I have been tasked to configure IPSec tunnels from a remote site (1751 w/Cisco Secure IOS) terminating on 2 different Nokia IP380 firewalls. The customer is requesting that the traffic be divided into the tunnels by certain traffic type. One tunnel will transport SAP, terminating on 1 firewall and the other tunnel will transport e-mail, miscelleanous traffic,terminating on the other firewall. They also are requesting that in the event that one tunnel fails the traffic of the failed tunnel be automatically re-routed to the other available tunnel. >Can anyone let me know if this is feasible and how it is done. Do I need additional hardware or sofware to resolve this request? > >Thanks, > >al >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn > > > > Not really, no. You could do it, conceivably, it you got firewall load balancers to put in front and behind to handle the failover, but that would be a waste of time and money (lots of both). It seems better to use QOS. It sounds like their crack rock is SAP and everyone else be damned, so guarantee SAP xMB of traffic (or negate it by limiting everything else to xMB). If they want failover, the two firewalls have to work together, with the same policy. --Travis From cu_solomon at hotmail.com Mon Feb 14 17:32:22 2005 From: cu_solomon at hotmail.com (Solomon Welch) Date: Mon, 14 Feb 2005 17:32:22 -0500 Subject: [VPN] Cisco VPN 3005 and groups Message-ID: Hi All I'm in need of some help with a Cisco VPN 3005. I have set it to authenticate using RADIUS, but I would also like to use the internal user db. So I setup a new group to use internal authentication, but when I try to connect using ?user at internalgroup? it tries to authenticate against the RADIUS server and fails. The firmware is version 4.1.5.Rel Jun 18 2004 02:34:34. I?m using PPTP and the RADIUS server is my main authentication server in ?Configuration | System | Servers | Authentication? Any help would be great, -Solomon From MShivdasani at venterinstitute.org Tue Feb 15 10:37:14 2005 From: MShivdasani at venterinstitute.org (Shivdasani, Meenoo) Date: Tue, 15 Feb 2005 10:37:14 -0500 Subject: [VPN] Cisco VPN 3005 and groups Message-ID: <5A25ECBB1D5CCA4FAF27FE06CC8F03820C4001@VI-EXCHANGE.JCVSF.Corp> > use the internal user db. So I setup a new group to use > internal authentication, but when I try to connect using > "user at internalgroup" it tries to authenticate against the > RADIUS server and fails. If I remember correctly, you need to have it check Internal authentication first by adding an Internal server that's above your RADIUS server in the list under Configuration | System | Servers | Authentication. M From rodrigues at tce.pe.gov.br Wed Feb 16 10:22:41 2005 From: rodrigues at tce.pe.gov.br (Clebson Rodrigues da Silva) Date: Wed, 16 Feb 2005 12:22:41 -0300 Subject: [VPN] Cisco VPN Client can't connect to Pix 515 with rsa-sig Message-ID: An embedded message was scrubbed... From: "Clebson Rodrigues da Silva" Subject: Cisco VPN Client can't connect to Pix 515 with rsa-sig Date: Wed, 16 Feb 2005 12:22:41 -0300 Size: 97466 Url: http://lists.shmoo.com/pipermail/vpn/attachments/20050216/ed5ec6f2/attachment.eml -------------- next part -------------- ************************************************************************************************ *** Esta mensagem est? livre de v?rus. Ela foi verificada pelo software antiv?rus do TCE-PE *** From cu_solomon at hotmail.com Fri Feb 18 15:49:54 2005 From: cu_solomon at hotmail.com (Solomon Welch) Date: Fri, 18 Feb 2005 15:49:54 -0500 Subject: [VPN] Cisco VPN 3005 and groups Message-ID: Thanks to every one who responded. I changed the main authentication server to internal and set the RADIUS server in the groups. I also had to use user at windowsADdomain.com to get the user to authenticate correctly with the windows IAS ( RADIUS) server which then authenticated with my AD server. I named the groups with the same name as my AD domain (windowsADdomain.com) I hope this will help others with this problem, -Solomon org message: Hi All I'm in need of some help with a Cisco VPN 3005. I have set it to authenticate using RADIUS, but I would also like to use the internal user db. So I setup a new group to use internal authentication, but when I try to connect using ?user at internalgroup? it tries to authenticate against the RADIUS server and fails. The firmware is version 4.1.5.Rel Jun 18 2004 02:34:34. I?m using PPTP and the RADIUS server is my main authentication server in ?Configuration | System | Servers | Authentication? Any help would be great, -Solomon From billpritjr at yahoo.com Mon Feb 28 00:09:24 2005 From: billpritjr at yahoo.com (Bill Pritchard) Date: Sun, 27 Feb 2005 21:09:24 -0800 (PST) Subject: [VPN] VOIP with VPN - how? Message-ID: <20050228050924.16812.qmail@web50809.mail.yahoo.com> Can anyone please walk me thru the steps to get Voicepulse VOIP to work with my Windows XP Home based VPN? I can surf the net fine, but when the VPN is active, it kills my VoicePulse (expected). When I kill the VPN, Voicepulse is back alive. Thanks ===== __________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250