From neale at lowendale.com.au Wed Jan 4 04:43:33 2006 From: neale at lowendale.com.au (Neale Banks) Date: Wed, 4 Jan 2006 20:43:33 +1100 (EST) Subject: [VPN] local processes and tunnels Message-ID: One for the IPSec tunnel-wizardary department - but first some ascii-art: ---------- ------------- | | Wireless | | | Leaf-Svr |-------------------| Central-Svr | | | | | | | == == == == == == | | | | Tunnel (Openswan) | | ---------- ------------- | | Leaf-LAN| Central-LAN| |----------| |-------------| | | |Client |NS ----- ----- | | | | | | | | ----- ----- As I hope the diagram suggests, there's a remote site (leaf-node) linked back to a central site via an Openswan tunnel over a wireless link. Leaf-Svr and Central-Svr are running Fedora (Openswan and kernel 2.6). Clients can happily communicate via the tunnel to nodes on the Central-LAN. So far, so good. But... not so good for processes on Leaf-Svr (e.g. name resolver querying the name-server on Central-LAN("NS")) - we'd like them to communicate with nodes on Central-LAN via the tunnel. Not unreasonably, these packets are not encapsulated in the tunnel as they originate from the address of the wireless-side. I tried putting an iptables rule in the POSTROUTING chain of the nat table to SNAT name requests to come from Leaf-Svr's Leaf-LAN interace address, but no cigar. Any other suggestions? For situations like this what would be really handy is a diagram of where the various netfilter chains fit together combined with where IPSec encapsulates packets (e.g. to show if netfilter's POSTROUTING chain of the nat table comes before or after encapsulation). Any pointers to such a diagram, or even a description? Thanks, Neale. From rhowe at siksai.co.uk Wed Jan 4 20:16:23 2006 From: rhowe at siksai.co.uk (Russell Howe) Date: Thu, 5 Jan 2006 01:16:23 +0000 Subject: [VPN] Re: local processes and tunnels In-Reply-To: References: Message-ID: <20060105011623.GA17293@xiao.rsnet> On Wed, Jan 04, 2006 at 08:43:33PM +1100, Neale Banks wrote: > One for the IPSec tunnel-wizardary department - but first some > ascii-art: > > ---------- ------------- > | | Wireless | | > | Leaf-Svr |-------------------| Central-Svr | > | | | | > | | == == == == == == | | > | | Tunnel (Openswan) | | > ---------- ------------- > | | > Leaf-LAN| Central-LAN| > |----------| |-------------| > | | > |Client |NS > ----- ----- > | | | | > | | | | > ----- ----- > > As I hope the diagram suggests, there's a remote site (leaf-node) linked > back to a central site via an Openswan tunnel over a wireless link. > Leaf-Svr and Central-Svr are running Fedora (Openswan and kernel 2.6). > > Clients can happily communicate via the tunnel to nodes on the > Central-LAN. So far, so good. But... not so good for processes on > Leaf-Svr (e.g. name resolver querying the name-server on > Central-LAN("NS")) - we'd like them to communicate with nodes on > Central-LAN via the tunnel. Not unreasonably, these packets are not > encapsulated in the tunnel as they originate from the address of the > wireless-side. > > I tried putting an iptables rule in the POSTROUTING chain of the nat > table to SNAT name requests to come from Leaf-Svr's Leaf-LAN interace > address, but no cigar. > > Any other suggestions? I suspect packets are being generated with the wrong source address for the tunnel policy.. either create a second tunnel of Leaf-Svr-Wireless-address <===> Central-LAN, or use iproute2's policy routing to do something like: ip route add central-LAN via Central-Svr src Leaf-Svr-Leaf-LAN-Address So, if... Leaf-LAN 10.0.0.0/24 Central-LAN 172.16.0.0/24 wireless LAN 192.168.0.0/24 Leaf-Svr 10.0.0.1 on Leaf-LAN Leaf-Svr 172.16.0.1 on the Wireless LAN Central-Svr 192.168.0.2 Wireless LAN ... you'd do something like this: ip route add 172.16.0.0/24 via 192.168.0.2 src 10.0.0.1 By default, you would have had something like this, I bet: ip route add 172.16.0.0/24 via 192.168.0.2 src 192.168.0.1 (the src bit being implicit). You should be able to set that route and see if it magically fixes things. If it does, then I probably have a replacement set of updown scripts which you'll find useful. I hope the above is clear... -- Russell Howe | Why be just another cog in the machine, rhowe at siksai.co.uk | when you can be the spanner in the works? From vnyelurkar at gmail.com Thu Jan 5 00:10:18 2006 From: vnyelurkar at gmail.com (Virendra Yelurkar) Date: Thu, 5 Jan 2006 05:10:18 +0000 Subject: [VPN] Problem in ipsec vpn setup. Message-ID: <517de3280601042110uace036cq844015ab36a137c2@mail.gmail.com> Hi all, I am trying to setup a tunnel mode ipsec vpn connection between two gateways. (196.1.109.54 <--> 196.1.109.71). Each of these gateways are connected to a client using cross cables. The configuration is : (10.1.1.234) (196.1.109.54) | | (196.1.109.71) (10.2.2.234) client-1 -------------------------- Gateway-1=====| Router |======= Gateway-2 -------------------------client-2 ( 10.1.1.1 ) cross cable | | cross cable ( 10.2.2.1 ) Routing table entries on Gateway-1 are: eth0: default gw=Router eth1 : default gw=10.1.1.1 Routing table entries on Gateway-2 are: eth0: default gw=Router eth1 : default gw=10.2.2.1 When I try to ping one client from another, following error occures: sshipm: warning; SPD Phase-1 policy [responder]; Can not get policy for ipv4(any:0,[0..3]=0.0.0.0) <-> ipv4(any:0,[0..3]=196.1.109.71) sshipm: error; SPD rejected conn using selectors unknown(any:0,[0..0]=)(ipv4(any:0,[0..3]=0.0.0.0)) <-> (ipv4(any:0,[0..3]=196.1.109.71))unknown(any:0,[0..0]=) sshipm: info; The remote server 196.1.109.71:500 is SSH Communications Security IPSEC Express version 5.0.0 Please help me in this regard.. Thanking you in anticipation. ----------------------------------------------------------------------- Regards, Virendra Yelurkar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060105/c4d194e3/attachment.htm From M.Arndt at science-computing.de Fri Jan 6 09:53:23 2006 From: M.Arndt at science-computing.de (Michael Arndt) Date: Fri, 6 Jan 2006 15:53:23 +0100 Subject: [VPN] Cisco VPN Client to PIX Question Message-ID: <20060106145323.GA30659@winter.science-computing.de> Hello * Problem: Access of a windows rdesktop client over a NAT/PAT VPN does not work when the VPN is build over a nat-ed network The access works when the client computer accesses the pix only via direct link ( e.g. DSL access ) clientPC(rdesktop,cisco-vpnclient NAT/PAT) -> PIX -> targetserver works clientPC(rdesktop,cisco-vpnclient NAT/PAT) -> (linux firewall,NAT) -> PIX -> targetserver works NOT Since i don't know if attachments are acceptable below snippets i think are relevant from PIX ( addresses modified ) Somwhere on this list i found hints regarding: isakmp nat-traversal Does that apply for the given situtaion ? Has anyone hints, where to look ? TIA Micha PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 access-list inside_outbound_nat0_acl permit ip any 192.168.7.96 255.255.255.224 access-list outside_cryptomap_dyn_20 permit ip any 192.168.7.96 255.255.255.224 access-list outside_cryptomap_dyn_40 permit ip any 192.168.7.96 255.255.255.224 ip address outside 123.45.152.168 255.255.255.192 ip address inside 192.168.7.4 255.255.255.0 ip local pool VPN 192.168.7.100-192.168.7.120 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 123.45.152.129 1 sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication LOCAL crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup VPN address-pool VPN vpngroup VPN dns-server 123.45.1.3 123.45.1.31 vpngroup VPN idle-time 1800 dhcpd address 192.168.7.5-192.168.7.36 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside Cryptochecksum:xxx : end [OK] From Dana.Dawson at qwest.com Fri Jan 6 16:27:22 2006 From: Dana.Dawson at qwest.com (Dana J. Dawson) Date: Fri, 6 Jan 2006 15:27:22 -0600 Subject: [VPN] Re: Cisco VPN Client to PIX Question In-Reply-To: <20060106145323.GA30659@winter.science-computing.de> References: <20060106145323.GA30659@winter.science-computing.de> Message-ID: Micha, Yes, this sounds like a nat-traversal issue. Add the "isakmp nat- traversal 20" command to your config and see if that helps. Good luck! Dana --- Dana J. Dawson Dana.Dawson at qwest.com Sr. Staff Engineer CCIE #1937 Qwest Communications JNCIA-FWV 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 On ? Friday, Jan 6 ? 8:53:23 AM, at 8:53 AM, Michael Arndt wrote: > Hello * > > Problem: Access of a windows rdesktop client over a NAT/PAT VPN > does not work when the VPN is build over a nat-ed network > The access works when the client computer accesses the pix > only > via direct link ( e.g. DSL access ) > > clientPC(rdesktop,cisco-vpnclient NAT/PAT) -> PIX -> targetserver > works > clientPC(rdesktop,cisco-vpnclient NAT/PAT) -> (linux firewall,NAT) - > > PIX -> targetserver works NOT > > Since i don't know if attachments are acceptable below > snippets i think are relevant from PIX ( addresses modified ) > Somwhere on this list i found hints regarding: isakmp nat-traversal > Does that apply for the given situtaion ? > > Has anyone hints, where to look ? > > TIA > Micha > > PIX Version 6.3(3) > interface ethernet0 auto > interface ethernet1 100full > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > > access-list inside_outbound_nat0_acl permit ip any 192.168.7.96 > 255.255.255.224 > access-list outside_cryptomap_dyn_20 permit ip any 192.168.7.96 > 255.255.255.224 > access-list outside_cryptomap_dyn_40 permit ip any 192.168.7.96 > 255.255.255.224 > > ip address outside 123.45.152.168 255.255.255.192 > ip address inside 192.168.7.4 255.255.255.0 > > ip local pool VPN 192.168.7.100-192.168.7.120 > > global (outside) 1 interface > nat (inside) 0 access-list inside_outbound_nat0_acl > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > route outside 0.0.0.0 0.0.0.0 123.45.152.129 1 > > sysopt connection permit-ipsec > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac > crypto dynamic-map outside_dyn_map 20 match address > outside_cryptomap_dyn_20 > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 > crypto dynamic-map outside_dyn_map 40 match address > outside_cryptomap_dyn_40 > crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map > crypto map outside_map client authentication LOCAL > crypto map outside_map interface outside > isakmp enable outside > isakmp policy 20 authentication pre-share > isakmp policy 20 encryption 3des > isakmp policy 20 hash md5 > isakmp policy 20 group 2 > isakmp policy 20 lifetime 86400 > > vpngroup VPN address-pool VPN > vpngroup VPN dns-server 123.45.1.3 123.45.1.31 > vpngroup VPN idle-time 1800 > > dhcpd address 192.168.7.5-192.168.7.36 inside > dhcpd lease 3600 > dhcpd ping_timeout 750 > dhcpd auto_config outside > Cryptochecksum:xxx > : end > [OK] > > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn From roger.qian at sholodge.com Tue Jan 10 10:06:17 2006 From: roger.qian at sholodge.com (Qian, Roger) Date: Tue, 10 Jan 2006 09:06:17 -0600 Subject: [VPN] Need a dedicated VPN box? Message-ID: Hi All, We're using PIX 515UR box as firewall and VPN both in our corporate office. Remote users (laptops) VPN in corporate network through PIX outside interface. The problem is that after VPN connected the remote users cannot browse Internet using corporate gateway which is PIX inside interface. Do I need a dedicated VPN box? Which box you recommend? Please advice. The VPN configuration in PIX is PPTP and we have about 10 remote users. Thanks a lot. Roger -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060110/b81d2a7f/attachment.htm From ken at comtextelecom.com Tue Jan 10 13:41:44 2006 From: ken at comtextelecom.com (Ken's Work Laptop) Date: Tue, 10 Jan 2006 12:41:44 -0600 Subject: [VPN] VPN on a through two Cisco routers? References: Message-ID: <001801c61615$82319690$c86e0705@undrlaptopxp> Hey everyone. I am wondering how feasible it is to run a IPSec firewall (using two Linksys BEFVP41) through two Cisco routers, which are setup in the following manner. Internet connection goes into the first Cisco router which is using a private IP range of 192.1.0.x/255.255.255.0. Off of this router is another Cisco router which is providing a network of 192.168.1.x/255.255.255.0. My Linksys router is on this network and has it's own network of 192.168.2.x/255.255.255.0. Now, I do not have the model numbers on hand, but I am expecting an email shortly with those model numbers and I will reply to the list with them once I have them, but I need to find out if there is a better way to handle this. Basically, the VPN is going to be used to reach a VoIP phone switch on the 192.168.1.x network, but there are phones on the 192.1.0.x network which are using the VoIP phone switch as well. So, is having the LinkSys router on this network redundant or does it depend mainly on the Cisco switches? Ken Livingston Comtex Telecommunications ken at comtextelecom.com ----- Original Message ----- From: Qian, Roger To: vpn at lists.shmoo.com Sent: Tuesday, January 10, 2006 9:06 AM Subject: [VPN] Need a dedicated VPN box? Hi All, We're using PIX 515UR box as firewall and VPN both in our corporate office. Remote users (laptops) VPN in corporate network through PIX outside interface. The problem is that after VPN connected the remote users cannot browse Internet using corporate gateway which is PIX inside interface. Do I need a dedicated VPN box? Which box you recommend? Please advice. The VPN configuration in PIX is PPTP and we have about 10 remote users. Thanks a lot. Roger ------------------------------------------------------------------------------ _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060110/59a7773d/attachment.htm From venicio_boas at br.schindler.com Tue Jan 10 13:55:11 2006 From: venicio_boas at br.schindler.com (venicio_boas at br.schindler.com) Date: Tue, 10 Jan 2006 16:55:11 -0200 Subject: [VPN] Doubt about PIX and ASA5510 Message-ID: Dear all I would like to know whether someone has one comparison between PIX and ASA5510 Our actual hardware reached its "end of life" state and from the security standpoint we have to go for the new PIX IOS generation 7.x Our future configuration will be: |---------+------------------------+---------------------------------| |Pieces |Product |Description | |---------+------------------------+---------------------------------| |1 |PIX-525-UR-BUN |(PIX 525 Unrestricted Bundle) | |---------+------------------------+---------------------------------| |1 |PIX-525-FO-BUN |(PIX 525FO Bundle) | |---------+------------------------+---------------------------------| |2 |PIX-4FE-66 |(PIX 66-MHz four-port 10/100 Fast| | | |Ethernet int. card) | |---------+------------------------+---------------------------------| The additional interfaces are necessary to build the required perimeter networks and the LAN failover links. As we have application which you locate in DMZ we think not to use one ASA5510 instead of PIX specified above because the ASA5510 have characteristics beside one PIX in terms of security (firewall, IPS and Anti-X). I would like to know whether someone has one comparison between them i terms of cost, technical and so on. Than you for any help. Venicio Vilas-B?as Elevadores Atlas Schindler S/A Tel. 55 11 6120-5431 Notice: The information contained in this message is intended only for use of the individual(s) named above and may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you are not the intended recipient of this message you are hereby notified that you must not use, disseminate, copy it in any form or take any action in reliance of it. If you have received this message in error please delete it and any copies of it and notify the sender immediately. From apiccola at oconnorcp.com Tue Jan 10 14:03:33 2006 From: apiccola at oconnorcp.com (Piccola, Andrew) Date: Tue, 10 Jan 2006 14:03:33 -0500 Subject: [VPN] Re: Need a dedicated VPN box? Message-ID: <76D4A18642EC5046B9C8980F895F4FBB01BBF8A4@ntmadison.nydomain.com> You need some DNS settings in your config. Example below for a ipsec connection but should be the same for PPTP. I have two dns servers in my scenario vpngroup test dns-server 192.168.1.1 192.168.1.4 vpngroup test default-domain www.msn.com _____ From: vpn-bounces+apiccola=oconnorcp.com at lists.shmoo.com [mailto:vpn-bounces+apiccola=oconnorcp.com at lists.shmoo.com] On Behalf Of Qian, Roger Sent: Tuesday, January 10, 2006 10:06 AM To: vpn at lists.shmoo.com Subject: [VPN] Need a dedicated VPN box? Hi All, We're using PIX 515UR box as firewall and VPN both in our corporate office. Remote users (laptops) VPN in corporate network through PIX outside interface. The problem is that after VPN connected the remote users cannot browse Internet using corporate gateway which is PIX inside interface. Do I need a dedicated VPN box? Which box you recommend? Please advice. The VPN configuration in PIX is PPTP and we have about 10 remote users. Thanks a lot. Roger -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060110/2bddd3b1/attachment.htm From ken at comtextelecom.com Tue Jan 17 09:03:48 2006 From: ken at comtextelecom.com (Ken Livingston) Date: Tue, 17 Jan 2006 08:03:48 -0600 Subject: [VPN] Need help with two Linksys BEFVP41 routers. References: <76D4A18642EC5046B9C8980F895F4FBB01BBF8A4@ntmadison.nydomain.com> Message-ID: <002201c61b6e$d7e68880$8d03a8c0@comtextelecom.com> I have searched and searched and I am not sure if I am able to do what I am trying to do. OK, let me explain a bit. I have established a tunnel between two BEFVP41 routers through the internet. I want to route traffic through them for a couple of VoIP phones to a phone switch. The first issue is that the phone switch does not reside on the LAN side of either of the BEFVP41. It does reside on the network which is on the WAN side of one though. Here is the current network breakdown. Internet --> Cisco Pix Firewall --> Cisco 3810 (192.0.1.x/255.255.255.0) --> Cisco 3640 (192.168.1.x/255.255.255.0) --> Linksys BEFVP41 (192.168.2.x/255.255.255.0) The Cisco 3640 is the router through which my phone system is on the network. It has an ip address of 192.168.1.113. The other side of the VPN tunnel is just the internet connection to the Linksys. Also, I am not absolutely sure if the topology for the placement of the Pix Firewall is accurate. I did not setup this network and I really know nothing about Cisco stuff. Internet --> Linksys BEFVP41 (192.168.4.x/255.255.255.0) --> IP Phones I can establish the tunnel with no problems. I need to know if there is any configuration needed (or desired) on the Cisco routers and/or the Pix. Also, is there a way to establish a static route from the Linksys BEFVP41s through the tunnel on either end? So that I can route the IP traffic from the IP phones to the 192.168.1.113 IP address? Any help would be greatly appreciated! Ken From yeet at o2.co.uk Thu Jan 19 10:22:48 2006 From: yeet at o2.co.uk (yeet) Date: Thu, 19 Jan 2006 17:22:48 +0200 Subject: [VPN] how to detect vpn3000 model Message-ID: <000801c61d0c$354ed650$027b10ac@mobile> Hello Folks, Is it possible to detect which model of vpn3000 series is running on a remote ip ? what about version of it ? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060119/2a3a006b/attachment.htm