From travis at traviswatson.com Thu Jun 1 19:45:55 2006 From: travis at traviswatson.com (Travis Watson) Date: Thu, 01 Jun 2006 16:45:55 -0700 Subject: [VPN] Re: VPN to Netgear FVS318 v2.4 In-Reply-To: <6BEB7C2F4C712045AA210FC242934F7501D84ADA@NJ-EXCHANGE1.AD.dti> References: <6BEB7C2F4C712045AA210FC242934F7501D84ADA@NJ-EXCHANGE1.AD.dti> Message-ID: <447F7C33.8090502@traviswatson.com> Todd, I've never set up a tunnel with a Netgear, but I know that it is more of a SOHO appliance, of course. Their design people probably never anticipated something like a /20 being used by their customers. I would either just enter all 16 class Cs or, if it can do it, build the tunnel for a class B (if you have that much IP space anyway). I've done things like that for a work around. On the non-netgear side you can build the tunnel for a class B to, say, tcp port 3, and then the rules below it can give more granular access to the stuff you really want them to have. Just a thought. The encouraging thing is that you can do it for a class C. If it can do that, a class B is (hopefully) possible. Good luck, Travis Todd M. Simons wrote: > > Hello All > > We have a 20 bit subnet mask (255.255.240.0 aka 0.0 thru 15.255), > We?re trying to setup a VPN to a Netgear FVS318 v2.1 but can't get > Phase 2 to come up for our entire subnet. We can bring up a VPN to a > single host in our subnet, or to a Class C section ( x.x.x.1 to > x.x.x.255), but not our 20bit mask (x.x.0.1 to x.x.15.255) > > The Netgear requires a start and end address (not a subnet and mask) > on its VPN settings. We've tried all combinations. The netgear side is > odd, for the Class C it takes 1 to 255 as beginning and end address, > not to 254. I tried all different combinations with the remote Netgear > admin, and got nothing. > > I've asked him to upgrade to the lastest firmware (v2.4) > > Has anyone ever setup a VPN to this model Netgear? > > Thanks, > ~Todd > _____________________________ > */Todd M. Simons/* > *IT Supervisor* > *Delphi Technology, Inc* > *New Brunswick, NJ* > > ########################################### > > This message has been scanned by F-Secure Anti-Virus for Microsoft > Exchange. > For more information, connect to http://www.f-secure.com/ > > SPONSORED LINKS > Technical support > > Computer security > > Computer technical support > > > Computer training > > Free computer technical support > > > > > ------------------------------------------------------------------------ > YAHOO! GROUPS LINKS > > * Visit your group "SymantecFirewalls > " on the web. > * To unsubscribe from this group, send an email to: > SymantecFirewalls-unsubscribe at yahoogroups.com > > * Your use of Yahoo! Groups is subject to the Yahoo! Terms of > Service . > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn From tsimons at delphi-tech.com Fri Jun 2 07:02:01 2006 From: tsimons at delphi-tech.com (Todd M. Simons) Date: Fri, 2 Jun 2006 07:02:01 -0400 Subject: [VPN] Re: VPN to Netgear FVS318 v2.4 Message-ID: <6BEB7C2F4C712045AA210FC242934F7501D84B54@NJ-EXCHANGE1.AD.dti> Thanks Travis I tried the Class B too, that didn't work, so it looks like we're stuck with Class C. I've helped the netgear admin open a ticket with netgear. ...I really don't feel like managing all the class C's but will if I have to. ...hopefully Netgear will come back with something. ~Todd -----Original Message----- From: vpn-bounces+tsimons=delphi-tech.com at lists.shmoo.com [mailto:vpn-bounces+tsimons=delphi-tech.com at lists.shmoo.com] On Behalf Of Travis Watson Sent: Thursday, June 01, 2006 7:46 PM To: SymantecFirewalls at yahoogroups.com Cc: vpn at lists.shmoo.com Subject: [VPN] Re: VPN to Netgear FVS318 v2.4 Todd, I've never set up a tunnel with a Netgear, but I know that it is more of a SOHO appliance, of course. Their design people probably never anticipated something like a /20 being used by their customers. I would either just enter all 16 class Cs or, if it can do it, build the tunnel for a class B (if you have that much IP space anyway). I've done things like that for a work around. On the non-netgear side you can build the tunnel for a class B to, say, tcp port 3, and then the rules below it can give more granular access to the stuff you really want them to have. Just a thought. The encouraging thing is that you can do it for a class C. If it can do that, a class B is (hopefully) possible. Good luck, Travis Todd M. Simons wrote: > > Hello All > > We have a 20 bit subnet mask (255.255.240.0 aka 0.0 thru 15.255), > We're trying to setup a VPN to a Netgear FVS318 v2.1 but can't get > Phase 2 to come up for our entire subnet. We can bring up a VPN to a > single host in our subnet, or to a Class C section ( x.x.x.1 to > x.x.x.255), but not our 20bit mask (x.x.0.1 to x.x.15.255) > > The Netgear requires a start and end address (not a subnet and mask) > on its VPN settings. We've tried all combinations. The netgear side is > odd, for the Class C it takes 1 to 255 as beginning and end address, > not to 254. I tried all different combinations with the remote Netgear > admin, and got nothing. > > I've asked him to upgrade to the lastest firmware (v2.4) > > Has anyone ever setup a VPN to this model Netgear? > > Thanks, > ~Todd > _____________________________ > */Todd M. Simons/* > *IT Supervisor* > *Delphi Technology, Inc* > *New Brunswick, NJ* > > ########################################### > > This message has been scanned by F-Secure Anti-Virus for Microsoft > Exchange. > For more information, connect to http://www.f-secure.com/ > > SPONSORED LINKS > Technical support > > Computer security > > Computer technical support > hnical+support&w2=Computer+security&w3=Computer+technical+support&w4=C > omputer+training&w5=Free+computer+technical+support&c=5&s=138&.sig=0Pt > Ye-giICy1KkECNuG2EA> > > Computer training > > Free computer technical support > 1=Technical+support&w2=Computer+security&w3=Computer+technical+support > &w4=Computer+training&w5=Free+computer+technical+support&c=5&s=138&.si > g=isTctikpuewr3b607bkoUA> > > > > ---------------------------------------------------------------------- > -- > YAHOO! GROUPS LINKS > > * Visit your group "SymantecFirewalls > " on the web. > * To unsubscribe from this group, send an email to: > SymantecFirewalls-unsubscribe at yahoogroups.com > > * Your use of Yahoo! Groups is subject to the Yahoo! Terms of > Service . > > > ---------------------------------------------------------------------- > -- > > ---------------------------------------------------------------------- > -- > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn ##Scanned by dti## From cheskett at dor.state.ne.us Tue Jun 6 09:57:25 2006 From: cheskett at dor.state.ne.us (Chad Heskett) Date: Tue, 6 Jun 2006 08:57:25 -0500 Subject: [VPN] Testing. Message-ID: I just subscribed to this list and I am just trying to feel out the waters to see if there is very many participants or much action on this list. Thanks, Chad From rspeed at gmail.com Tue Jun 6 15:48:54 2006 From: rspeed at gmail.com (Ryan Speed) Date: Tue, 6 Jun 2006 12:48:54 -0700 Subject: [VPN] Re: Testing. In-Reply-To: References: Message-ID: its not very high traffic but from what i've seen responses are fast and very informative. If you have vpn questions this list will definitely be helpful. On 6/6/06, Chad Heskett wrote: > > I just subscribed to this list and I am just trying to feel out the waters > to see if there is very many participants or much action on this list. > > > Thanks, > > Chad > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > -- ><(((?> Ryan Speed http://speedo.ca (Personal site) http://gallery.speedo.ca (Photo Gallery) http://newsbc.ca (News BC) http://newsbc.ca/movies (Movie Reviews) From cheskett at dor.state.ne.us Tue Jun 6 15:58:15 2006 From: cheskett at dor.state.ne.us (Chad Heskett) Date: Tue, 6 Jun 2006 14:58:15 -0500 Subject: [VPN] Avaya VSU's Message-ID: Anybody else use Avaya VSU's? We are having a heck of a time with speed at our remote sites. Our ISP's at the remote sites are giving us as much Up as well as Down as they can give but still having very bad problems with speed/bandwidth. Can anybody give me an idea of what a person should expect in percentage in terms of how much loss/overhead a person can expect over VPN? Thanks, Chad Heskett IT Infrastructure From cheskett at dor.state.ne.us Wed Jun 7 08:51:11 2006 From: cheskett at dor.state.ne.us (Chad Heskett) Date: Wed, 7 Jun 2006 07:51:11 -0500 Subject: [VPN] Avaya VSU's Message-ID: Just a little more background info. We have an Avaya VSU 2000 (we were running a 10000 but decided to try a 2000) at the main office. All of our remote sites have Avaya 5x or SG5 VSU's. All machines in the remote sites are constantly on our network. So it really isn't "one" application. For an example, one of our sites has Cox Cable. The account is for 6MB down and 1MB up. Doing some speed tests show some machines in the 1.5MB down and 500kb up range. While others are clear down to 200kb down and 500kb up. Sometimes I wonder if it isn't the NIC on certain machines or maybe the switches they are plugged into. Thanks to all of you who are throwing suggestions out there. I really do appreciate it. Thanks, Chad Heskett IT Infrastructure Support From chris.meidinger at badenIT.de Thu Jun 8 08:21:32 2006 From: chris.meidinger at badenIT.de (Meidinger Chris) Date: Thu, 8 Jun 2006 14:21:32 +0200 Subject: [VPN] Cicso ASA - Software Release 7.2.1? In-Reply-To: Message-ID: <763363C6C69C5A4B9735E3907164812A63EDB0@bit123.badenit.intern> Hi VPN-Users, I have a pair of ASA-Clusters with a problem accepting DHCP-Relay from mini-PIXes (501's) I am considering upgrading from 7.1.2 to 7.2.1 software to see if that helps at all. Have any of you got 7.2.1 code running already? It's only been out since the 31st of May, so I'm a bit worried about taking the code right into production. Thanks in advance for any positive/negative feedback on the ASA 7.2 image. Chris Meidinger From joselpcosta at yahoo.com.br Wed Jun 7 00:42:15 2006 From: joselpcosta at yahoo.com.br (Jose Costa) Date: Wed, 7 Jun 2006 01:42:15 -0300 (ART) Subject: [VPN] FreeSwan VPN WAN Failover & Cisco PIX Message-ID: <20060607044216.63846.qmail@web31908.mail.mud.yahoo.com> Hi all! I need some help to establish a vpn using linux freeswan with our customer PIX Firewall (515E). I?ll have 2 Internet links , both with static ip addresses and about 10 machines behind the linux gateway that need to access the lan behind PIX box. The Linux Gateway will have 3 interfaces: ---> WAN1 LAN <--- Gateway | --> Internet <---PIX --> LAN ---> WAN2 I would like to setup VPN redudancy or load balancing on Linux Gateway WAN links. I?m thinking about iproute on linux.. But what about PIX(I do not have one to test)? I think it will not let me setup 2 Ipsec SA with same LAN addressing on other side of the tunnel. Is it possible to setup a secondary IP/Gateway for IPsec like I can do in other Firewalls? What would be your recommendations? Thanks in advance. Jos? Costa __________________________________________________ Fale com seus amigos de gra?a com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ From bruns at 2mbit.com Thu Jun 8 14:48:04 2006 From: bruns at 2mbit.com (Brian Bruns) Date: Thu, 8 Jun 2006 14:48:04 -0400 Subject: [VPN] Re: Avaya VSU's References: Message-ID: <014f01c68b2c$14693960$2da8a8c0@akira> On Wednesday, June 07, 2006 8:51 AM [EST], Chad Heskett wrote: > Just a little more background info. We have an Avaya VSU 2000 (we were > running a 10000 but decided to try a 2000) at the main office. All of > our remote sites have Avaya 5x or SG5 VSU's. All machines in the > remote sites are constantly on our network. So it really isn't "one" > application. For an example, one of our sites has Cox Cable. The > account is for 6MB down and 1MB up. Doing some speed tests show some > machines in the 1.5MB down and 500kb up range. While others are > clear down to 200kb down and 500kb up. Sometimes I wonder if it isn't > the NIC on certain machines or maybe the switches they are plugged > into. Thanks to all of you who are throwing suggestions out there. I > really do appreciate it. > How much bandwidth is at the primary location which is the main concentrator for these remote sites? How many hops are there between the main office and some of the remote offices? If you can transfer files locally over the lan at normal speeds for 10/100/1000BaseT, then its most likely not the NIC or switches at fault. Throw into the mix that cable modem service gets slower as more customers are placed on the same feed as you, so if your in an area with alot of cable modem customers, that could seriously affect bandwidth. There is alot that could be happening - more information is good. -- Brian Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From bruns at 2mbit.com Thu Jun 8 15:11:32 2006 From: bruns at 2mbit.com (Brian Bruns) Date: Thu, 8 Jun 2006 15:11:32 -0400 Subject: [VPN] Re: Avaya VSU's References: Message-ID: <016e01c68b2f$5b40e060$2da8a8c0@akira> On Thursday, June 08, 2006 2:55 PM [EST], Chad Heskett wrote: > I thought of the same thing Brian. So I tested this at the remote > sites. I unhooked the VSU and run directly off of the Cable Modem and > I was getting great bandwidth. 5Mbps down easily. I hook up to the > VSU and it sinks to > 1.5Mbps or slower. We have a full Gig fiber coming into our main > building where our central VSU is. (Avaya VSU 2000) > Great bandwidth to where though? Are you accessing the same files/setup at your home site from the remote site during the test, as you do when the VPN is in place? In my experience from building/running an ISP, just beause you have gig fiber running somewhere, doesn't mean your source of the fiber has the bandwidth on the backend to the main backbones/private peering to support it (or that their provider/peering has it either). An excellent example - had a network setup with one T1 from {major cable provider}, one T3 from {major cable provider's other office} combined with T1s from {major backbone providers}. Had a customer on a cable modem from same {major cable provider}, and due to their (unusual) routing setup for customer cable modems, the traffic actually ended up going through the {major backbone provider} T1 rather then the larger T3 pipe that happened to be from {major cable provider}, seriously killing any performance benefit of being on the same network. -- Brian Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From cheskett at dor.state.ne.us Thu Jun 8 14:55:38 2006 From: cheskett at dor.state.ne.us (Chad Heskett) Date: Thu, 8 Jun 2006 13:55:38 -0500 Subject: [VPN] Re: Avaya VSU's In-Reply-To: <014f01c68b2c$14693960$2da8a8c0@akira> Message-ID: I thought of the same thing Brian. So I tested this at the remote sites. I unhooked the VSU and run directly off of the Cable Modem and I was getting great bandwidth. 5Mbps down easily. I hook up to the VSU and it sinks to 1.5Mbps or slower. We have a full Gig fiber coming into our main building where our central VSU is. (Avaya VSU 2000) Thanks, Chad Heskett IT Infrastructure Support "Brian Bruns" To 06/08/2006 01:48 , "Chad PM Heskett" cc Subject Re: [VPN] Avaya VSU's On Wednesday, June 07, 2006 8:51 AM [EST], Chad Heskett wrote: > Just a little more background info. We have an Avaya VSU 2000 (we were > running a 10000 but decided to try a 2000) at the main office. All of > our remote sites have Avaya 5x or SG5 VSU's. All machines in the > remote sites are constantly on our network. So it really isn't "one" > application. For an example, one of our sites has Cox Cable. The > account is for 6MB down and 1MB up. Doing some speed tests show some > machines in the 1.5MB down and 500kb up range. While others are > clear down to 200kb down and 500kb up. Sometimes I wonder if it isn't > the NIC on certain machines or maybe the switches they are plugged > into. Thanks to all of you who are throwing suggestions out there. I > really do appreciate it. > How much bandwidth is at the primary location which is the main concentrator for these remote sites? How many hops are there between the main office and some of the remote offices? If you can transfer files locally over the lan at normal speeds for 10/100/1000BaseT, then its most likely not the NIC or switches at fault. Throw into the mix that cable modem service gets slower as more customers are placed on the same feed as you, so if your in an area with alot of cable modem customers, that could seriously affect bandwidth. There is alot that could be happening - more information is good. -- Brian Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From stuartbassett at hsbc.com Tue Jun 20 06:57:23 2006 From: stuartbassett at hsbc.com (stuartbassett at hsbc.com) Date: Tue, 20 Jun 2006 11:57:23 +0100 Subject: [VPN] =?utf-8?q?SonicWALL_Model_=E2=80=93_Pro_3060_Enhanced_=5BSo?= =?utf-8?q?nicOS_Enhanced_3=2E1=2E0=2E14-49e=5D?= Message-ID: Can anyone tell me whether the above Sonicwall appliance NAT-T is compatible with the Cisco VPN 3000 appliance NAT-T ************************************************************ HSBC Bank plc Registered Office: 8 Canada Square, London E14 5HQ Registered in England - Number 14259 Authorised and regulated by the Financial Services Authority ************************************************************ ----------------------------------------- SAVE PAPER - THINK BEFORE YOU PRINT! This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely secure, error or virus-free. The sender does not accept liability for any errors or omissions. From houbbouyaacine at yahoo.fr Fri Jun 30 09:09:24 2006 From: houbbouyaacine at yahoo.fr (Diallo Mamadou) Date: Fri, 30 Jun 2006 15:09:24 +0200 (CEST) Subject: [VPN] vpnclient 4.0.1 connection problem Message-ID: <20060630130924.96622.qmail@web26212.mail.ukl.yahoo.com> Hi, Excuse my poor english! I am a senegalese student, i am testing connection to a pix 506E with a vpnclient 4.01 using rsa-sig. i get the message "secure vpn connection terminated locally by the client Reason:Unable to contact security gateway" I try any things but i can not solve the problem. I obtained this log from the vpnclient logviewer: Cisco Systems VPN Client Version 4.0.1 (Rel) Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.0.2195 94 13:30:40.203 06/28/06 Sev=Info/4 CERT/0x63600014 Cert (c=SN,o=DOUANE senegalaise,ou=pkigroup,cn=Kamou) verification succeeded. 95 13:30:40.250 06/28/06 Sev=Info/4 CM/0x63100002 Begin connection process 96 13:30:40.250 06/28/06 Sev=Info/4 CM/0x63100004 Establish secure connection using Ethernet 97 13:30:40.250 06/28/06 Sev=Info/4 CM/0x63100024 Attempt connection with server "10.3.0.46" 98 13:30:41.265 06/28/06 Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with 10.3.0.46. 99 13:30:41.343 06/28/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 10.3.0.46 100 13:30:41.421 06/28/06 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 10.3.0.46 101 13:30:41.421 06/28/06 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (SA) from 10.3.0.46 102 13:30:41.468 06/28/06 Sev=Info/6 IKE/0x63000001 IOS Vendor ID Contruction successful 103 13:30:41.468 06/28/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to 10.3.0.46 104 13:30:41.593 06/28/06 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 10.3.0.46 105 13:30:41.593 06/28/06 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Xauth), VID(dpd), VID(Unity), VID(?)) from 10.3.0.46 106 13:30:41.593 06/28/06 Sev=Info/5 IKE/0x63000001 Peer supports XAUTH 107 13:30:41.593 06/28/06 Sev=Info/5 IKE/0x63000001 Peer supports DPD 108 13:30:41.593 06/28/06 Sev=Info/5 IKE/0x63000001 Peer is a Cisco-Unity compliant peer 109 13:30:41.593 06/28/06 Sev=Info/5 IKE/0x63000081 Received IOS Vendor ID with unknown capabilities flag 0x00000025 110 13:30:41.640 06/28/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 10.3.0.46 111 13:30:41.921 06/28/06 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 10.3.0.46 112 13:30:41.921 06/28/06 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG) from 10.3.0.46 113 13:30:41.937 06/28/06 Sev=Info/4 CERT/0x63600014 Cert (c=SN,o=DOUANE senegalaise,cn=monpix.douane,1.2.840.113549.1.9.2=#130d6d6f6e7069782e646f75616e65,1.2.840.113549.1.9.8=#130931302e332e302e3436) verification succeeded. 114 13:30:41.937 06/28/06 Sev=Warning/3 IKE/0xE3000081 Invalid remote certificate id: ID_FQDN: ID = monpix.douane, Certificate = [NULL] 115 13:30:41.937 06/28/06 Sev=Warning/3 IKE/0xE3000058 The peer's certificate doesn't match Phase 1 ID 116 13:30:41.937 06/28/06 Sev=Warning/2 IKE/0xE30000A5 Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2046) 117 13:30:41.937 06/28/06 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=76198AC89083E130 R_Cookie=CCF7DFE832EC4EA3) reason = DEL_REASON_IKE_NEG_FAILED 118 13:30:41.937 06/28/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 10.3.0.46 119 13:30:42.812 06/28/06 Sev=Info/4 IKE/0x6300004A Discarding IKE SA negotiation (I_Cookie=76198AC89083E130 R_Cookie=CCF7DFE832EC4EA3) reason = DEL_REASON_IKE_NEG_FAILED 120 13:30:42.812 06/28/06 Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server "10.3.0.46" because of "DEL_REASON_IKE_NEG_FAILED" 121 13:30:42.812 06/28/06 Sev=Info/5 CM/0x63100025 Initializing CVPNDrv 122 13:30:42.812 06/28/06 Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection 123 13:30:42.828 06/28/06 Sev=Info/4 IKE/0x63000085 Microsoft IPSec Policy Agent service started successfully Please i really need your help! Cheers --------------------------------- Yahoo! Mail r?invente le mail ! D?couvrez le nouveau Yahoo! Mail et son interface r?volutionnaire. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060630/474e2340/attachment.htm