From morten at nidelven-it.no Fri May 5 10:52:44 2006 From: morten at nidelven-it.no (Morten W. Petersen) Date: Fri, 05 May 2006 16:52:44 +0200 Subject: [VPN] Easy VPN setup for remote users Message-ID: <445B66BC.4070605@nidelven-it.no> Hi, we have some remote users that need help setting up various tools on their computers, and we would like to be able to do this for them via VPN, having them for example downloading an application and starting it so we can access their computer. It is important that the procedure is as easy as possible for the customer, and that it should work well even if the customer is behind a firewall. Do you know of any configurations that could work for this? We have access to a public internet server that runs Linux, maybe the customer end application could connect to that? Thanks for any suggestions, Morten From nowen at wikidsystems.com Fri May 5 14:35:31 2006 From: nowen at wikidsystems.com (Nick Owen) Date: Fri, 05 May 2006 14:35:31 -0400 Subject: [VPN] Re: Easy VPN setup for remote users In-Reply-To: <445B66BC.4070605@nidelven-it.no> References: <445B66BC.4070605@nidelven-it.no> Message-ID: <445B9AF3.5080603@wikidsystems.com> Morten W. Petersen wrote: > Hi, > > we have some remote users that need help setting up various tools on > their computers, and we would like to be able to do this for them via > VPN, having them for example downloading an application and starting it > so we can access their computer. > > It is important that the procedure is as easy as possible for the > customer, and that it should work well even if the customer is behind a > firewall. > > Do you know of any configurations that could work for this? We have > access to a public internet server that runs Linux, maybe the customer > end application could connect to that? > > Thanks for any suggestions, > > Morten Morten: You might want to look into Freenx. It can be used like VNC to remote control boxes using RDP or VNC. The server can be your linux box where it can take advantage or PAM for authentication. HTH, Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com http://sourceforge.net/projects/wikid-twofactor Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen From rhowe at siksai.co.uk Fri May 5 16:00:09 2006 From: rhowe at siksai.co.uk (Russell Howe) Date: Fri, 5 May 2006 21:00:09 +0100 Subject: [VPN] Re: Easy VPN setup for remote users In-Reply-To: <445B66BC.4070605@nidelven-it.no> References: <445B66BC.4070605@nidelven-it.no> Message-ID: <20060505200009.GA2506@xiao.rsnet> On Fri, May 05, 2006 at 04:52:44PM +0200, Morten W. Petersen wrote: > Hi, > > we have some remote users that need help setting up various tools on > their computers, and we would like to be able to do this for them via > VPN, having them for example downloading an application and starting it > so we can access their computer. If you don't mind the unencrypted-ness (which you probably should), why not just get them to install VNC and run a viewer on your end in listen mode. That way they can just connect to your listening viewer, giving you control. No need to even install VNC such that it has a listening socket. -- Russell Howe | Why be just another cog in the machine, rhowe at siksai.co.uk | when you can be the spanner in the works? From Aleksander.Boh at gov.si Sat May 6 08:14:31 2006 From: Aleksander.Boh at gov.si (Aleksander.Boh at gov.si) Date: Sat, 6 May 2006 14:14:31 +0200 Subject: [VPN] Re: Easy VPN setup for remote users Message-ID: There are various sollutions usnig SSL VPN, where only https connection to the internet is required and IE or Netscape browser. It works through the firewall (common ports 80 or 443) and the conenction is initiated from the LAN (trust to untrust). You open a session as presenter on SSL server, user which you invite by sending him url:, connects to that server for particular server. Than there are at least 2 options. User grants you r/o access and you instruct him via phone line or user grants you r/w access (to selecetd application or desktop) and let you operate his PC while he can observe your work. Session is secure, only invited can join and it can be timedout. The solution depends on the scale, meaning: - you can buy ssl box or you can rent (pay yearly fee) for number of licenced concurent ssl sessions at public accessf ssl server (run by secure company). If talking about up to 50 concurent SSL remote desktop sessions than a yearly rent would be my advice. If you go beyond that and want to use additional services the box colud be option. Check at: http://www.isllight.com (both optionos) http://www.juniper.net/products/ssl/ (look for remote desktop) Regards, Aleksander Boh |---------+-------------------------------------------------> | | Nick Owen | | | Po?iljatelj: | | | vpn-bounces+aleksander.boh=gov.si at list| | | s.shmoo.com | | | | | | | | | 05.05.2006 20:35 | | | | |---------+-------------------------------------------------> >------------------------------------------------------------------------------------------------------------------------------| | | | Za: "Morten W. Petersen" | | kp: vpn at lists.shmoo.com | | Zadeva: [VPN] Re: Easy VPN setup for remote users | >------------------------------------------------------------------------------------------------------------------------------| Morten W. Petersen wrote: > Hi, > > we have some remote users that need help setting up various tools on > their computers, and we would like to be able to do this for them via > VPN, having them for example downloading an application and starting it > so we can access their computer. > > It is important that the procedure is as easy as possible for the > customer, and that it should work well even if the customer is behind a > firewall. > > Do you know of any configurations that could work for this? We have > access to a public internet server that runs Linux, maybe the customer > end application could connect to that? > > Thanks for any suggestions, > > Morten Morten: You might want to look into Freenx. It can be used like VNC to remote control boxes using RDP or VNC. The server can be your linux box where it can take advantage or PAM for authentication. HTH, Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com http://sourceforge.net/projects/wikid-twofactor Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From igor.pronin at elma.net Sat May 6 04:44:59 2006 From: igor.pronin at elma.net (Igor Pronin) Date: Sat, 06 May 2006 11:44:59 +0300 Subject: [VPN] Re: Easy VPN setup for remote users In-Reply-To: <20060505200009.GA2506@xiao.rsnet> References: <445B66BC.4070605@nidelven-it.no> <20060505200009.GA2506@xiao.rsnet> Message-ID: <445C620B.1040808@elma.net> Russell Howe wrote: > On Fri, May 05, 2006 at 04:52:44PM +0200, Morten W. Petersen wrote: >> Hi, >> >> we have some remote users that need help setting up various tools on >> their computers, and we would like to be able to do this for them via >> VPN, having them for example downloading an application and starting it >> so we can access their computer. > > If you don't mind the unencrypted-ness (which you probably should), why > not just get them to install VNC and run a viewer on your end in listen > mode. That way they can just connect to your listening viewer, giving > you control. > > No need to even install VNC such that it has a listening socket. > Look at this: http://ultravnc.sourceforge.net/addons/singleclick.html I have used it to assist some users remotely. It is fantastic. And it is simple to use. No installation on remote, just download and run. Use encryption with a plugin. Works even with NATed (private IP number) connection. UltraVNC has even a file transfer feature. If you configure it properly once you can use it for all your remote assistance. Security considerations are simple: the session can be opened only with the consent of the user and with his presence and after the remote session nothing is running on the remote computer. Really a K.I.S.S. solution. The disadvantages I have found: Only Windows. Both parts cannot work behind NAT, the helper has to have a public IP address. As slow as VNC is usually (I am fully satisfied). There is even a NAT2NAT configuration for UltraVNC http://ultravnc.sourceforge.net/addons/nat2nat.html but it is not at all so K.I.S.S: as the Singleclick and it needs a 3rd party middleman to establish the connection. regards Igor.Pronin at iki.fi From sbest at echogent.com Fri May 5 23:02:26 2006 From: sbest at echogent.com (Scott Best) Date: Fri, 5 May 2006 20:02:26 -0700 Subject: [VPN] Re: Easy VPN setup for remote users In-Reply-To: <20060505200009.GA2506@xiao.rsnet> References: <445B66BC.4070605@nidelven-it.no> <20060505200009.GA2506@xiao.rsnet> Message-ID: <2B69DB7A-08DF-46A9-A0DA-168B4ED70293@echogent.com> Mr.Petersen: One way to make encrypted VNC connections that doesn't require an open TCP port is to use EchoVNC alongside your VNC Server. EchoVNC lets you make a "firewall friendly" connection using a relay server that you own and control (e.g., running on your public Linux server). Data content is secured with 128-bit AES via the OpenSSL toolkit, and it works with any flavor of VNC. More info here: http://www.echogent.com/products.htm For remote users who are not allowed to install their own programs, try using EchoWinVNC. It's a zero-install "single click" version of VNC that you can easily customize to connect to your relay server, and even display your own splash-screen. cheers, Scott On May 5, 2006, at 1:00 PM, Russell Howe wrote: > On Fri, May 05, 2006 at 04:52:44PM +0200, Morten W. Petersen wrote: >> Hi, >> >> we have some remote users that need help setting up various tools on >> their computers, and we would like to be able to do this for them via >> VPN, having them for example downloading an application and >> starting it >> so we can access their computer. > > If you don't mind the unencrypted-ness (which you probably should), > why > not just get them to install VNC and run a viewer on your end in > listen > mode. That way they can just connect to your listening viewer, giving > you control. > > No need to even install VNC such that it has a listening socket. From gki at pldtdsl.net Tue May 9 07:02:24 2006 From: gki at pldtdsl.net (Global Knowledge PH) Date: Tue, 9 May 2006 19:02:24 +0800 Subject: [VPN] Ethical Hacking and Linux seminar on May 12, 2006 Message-ID: <1f8f01c67358$1c4d92c0$0a01a8c0@gkc9a34b48674e> Global Knowledge Associates, Inc. invites you to attend. ETHICAL HACKING SEMINAR 9AM TO 12NN Schedule: May 12, 2006 Registration fee: Php500.00 inclusive of Material (handout & snack) Venue: Penthouse East Tower, Philippine Stock Exchange, Ortigas Center Pasig City Seminar Outline 1: Threats to Security 2: Performing a risk assessment 3: Hacker Technologies 4: Buffer Overflow Exploits 5: Firewalls 6: Denial of Service and Trojans 7: Security Policy 8: Educational Resources ------------------------------------------------------------------------------------------- LINUX SEMINAR 1PM TO 4PM Schedule: May 12, 2006 Registration fee: Php300.00 inclusive of Material (handout & snack) Venue: Penthouse East Tower, Philippine Stock Exchange, Ortigas Center Pasig City Seminar Outline 1. Introduction * GUI Interface * Copying and Pasting Text with X 2. Getting Started * Logging in * Graphical Interface * Creating user account * Shutting down your computer 3. Using the Graphical Desktop * Using the desktop * Using the Panel * Using Nautilus * Logging out 4. Configuring the date and time * Time and Date Properties * time zone Cofiguration 5. Working with documents * Openoffice suite * Editing text files * Viewing PDF's 6. Shell Prompt Basics * Why Use a Shell Prompt * The history of the Shell * Locating Files and Directories * More Commands for Reading Text Files 6. Managing Files and Directories * The Larger Picture of the File System * File Compression and Archiving * Manipulating Files at the Shell Prompt REGISTRATION FORM Name Telephone No. Company Name Mobile No. Email Course/Seminar GLOBAL KNOWLEDGE ASSOCIATES, INC. 2502B West Tower Philippine Stock Exchange (PSE) Ortigas Center, Pasig City Tel. Nos. (632) 637- 3657 / 683- 0969 Tele/Fax (632) 637- 3657 Mobile: 0920-709-8298 Email: Sandra at globalknowledgeph.com URL: www.globalknowledgeph.com / www.eccouncil.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060509/75083da5/attachment.htm From kindy_s at yahoo.fr Tue May 9 04:55:56 2006 From: kindy_s at yahoo.fr (Kindy Sylla) Date: Tue, 9 May 2006 10:55:56 +0200 (CEST) Subject: [VPN] Pix doesn't respond after a while Message-ID: <20060509085556.16453.qmail@web26907.mail.ukl.yahoo.com> Hi, I am having a strange behaviour with a Cisco PIX Firewall Version 6.3(5). The configuration is done , the VPN are created between the 2 differents sites. The probl?me is after 5 to 6 hours of running, the ping to the remote hosts doesn't go through. When i try to ping a remote host, I see the followings line in the debug icmp trace: -request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5376 length=40 44: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152 45: ICMP echo-request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5632 length=40 46: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152 And When remote host try to ping a local machine, i can see the request coming without any reply. To get the ping work , we have to reload it. Do you have any idea? Please find below my config file : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password N7FecZuSHJlVZC2P encrypted passwd N7FecZuSHJlVZC2P encrypted hostname pixbenin domain-name boabenin.bj fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list acl_vpn permit icmp 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0 access-list acl_vpn permit ip 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128 pager lines 24 mtu outside 500 mtu inside 1500 ip address outside 81.91.235.147 255.255.255.192 ip address inside 10.102.155.135 255.255.255.128 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 nat (inside) 0 10.102.156.0 255.255.252.0 0 0 route outside 0.0.0.0 0.0.0.0 81.91.235.129 1 route inside 10.102.156.0 255.255.252.0 10.102.155.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 ip audit attack action alarm pdm history enable arp timeout 14400 nat (inside) 0 10.102.156.0 255.255.252.0 0 0 route outside 0.0.0.0 0.0.0.0 81.91.235.129 1 route inside 10.102.156.0 255.255.252.0 10.102.155.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto dynamic-map dynmap 30 set transform-set strong crypto map toX 20 ipsec-isakmp crypto map toX 20 match address acl_vpn crypto map toX 20 set peer 196.200.82.35 crypto map toX 20 set transform-set strong crypto map toX 30 ipsec-isakmp crypto map toX 30 match address acl_blgo crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto dynamic-map dynmap 30 set transform-set strong crypto map toX 20 ipsec-isakmp crypto map toX 20 match address acl_vpn crypto map toX 20 set peer 196.200.82.35 crypto map toX 20 set transform-set strong crypto map toX 30 ipsec-isakmp crypto map toX 30 match address acl_blgo crypto map toX 30 set peer 194.78.211.130 crypto map toX 30 set transform-set strong crypto map toX 9990 ipsec-isakmp dynamic dynmap crypto map toX interface outside isakmp enable outside isakmp key ******** address 196.200.82.35 netmask 255.255.255.255 isakmp key ******** address 194.78.211.130 netmask 255.255.255.255 isakmp identity address isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des isakmp policy 9 hash sha isakmp policy 9 group 1 isakmp policy 9 lifetime 86400 isakmp policy 19 authentication pre-share isakmp policy 19 encryption 3des isakmp policy 19 hash sha isakmp policy 19 group 2 isakmp policy 19 lifetime 86400 telnet timeout 5 ssh 194.7.174.162 255.255.255.255 outside ssh 194.7.174.163 255.255.255.255 outside ssh 10.102.156.0 255.255.252.0 inside ssh 10.102.155.0 255.255.255.0 inside ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:7458b1b938134f7d52ed82d4e2003210 Regrds, Kindy --------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services pr?f?r?s : v?rifiez vos nouveaux mails, lancez vos recherches et suivez l'actualit? en temps r?el. Cliquez ici. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060509/c0d5815d/attachment.htm From chris.meidinger at badenIT.de Wed May 10 05:20:17 2006 From: chris.meidinger at badenIT.de (Meidinger Chris) Date: Wed, 10 May 2006 11:20:17 +0200 Subject: [VPN] Re: Pix doesn't respond after a while Message-ID: <763363C6C69C5A4B9735E3907164812A3FD004@bit123.badenit.intern> Hi Kindy, It sounds like the tunnel lifetimes are not the same. You have 'isakmp policy 9 lifetime 86400' which means that the tunnel will be torn down and renegotiated after 86400 seconds. Does the other side have the same lifetime? If not, the peer gateway won't be ready to reneg the tunnel and will (probably) spit out a Bad SPI log message for each of your side's negotiation attempts. That's definately the first thing to check! HTH, Chris -----Original Message----- From: vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com on behalf of Kindy Sylla Sent: Tue 09-May-06 10:55 To: vpn at lists.shmoo.com Subject: [VPN] Pix doesn't respond after a while Hi, I am having a strange behaviour with a Cisco PIX Firewall Version 6.3(5). The configuration is done , the VPN are created between the 2 differents sites. The probl?me is after 5 to 6 hours of running, the ping to the remote hosts doesn't go through. When i try to ping a remote host, I see the followings line in the debug icmp trace: -request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5376 length=40 44: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152 45: ICMP echo-request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5632 length=40 46: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152 And When remote host try to ping a local machine, i can see the request coming without any reply. To get the ping work , we have to reload it. Do you have any idea? Please find below my config file : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password N7FecZuSHJlVZC2P encrypted passwd N7FecZuSHJlVZC2P encrypted hostname pixbenin domain-name boabenin.bj fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list acl_vpn permit icmp 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0 access-list acl_vpn permit ip 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128 pager lines 24 mtu outside 500 mtu inside 1500 ip address outside 81.91.235.147 255.255.255.192 ip address inside 10.102.155.135 255.255.255.128 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 nat (inside) 0 10.102.156.0 255.255.252.0 0 0 route outside 0.0.0.0 0.0.0.0 81.91.235.129 1 route inside 10.102.156.0 255.255.252.0 10.102.155.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 ip audit attack action alarm pdm history enable arp timeout 14400 nat (inside) 0 10.102.156.0 255.255.252.0 0 0 route outside 0.0.0.0 0.0.0.0 81.91.235.129 1 route inside 10.102.156.0 255.255.252.0 10.102.155.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto dynamic-map dynmap 30 set transform-set strong crypto map toX 20 ipsec-isakmp crypto map toX 20 match address acl_vpn crypto map toX 20 set peer 196.200.82.35 crypto map toX 20 set transform-set strong crypto map toX 30 ipsec-isakmp crypto map toX 30 match address acl_blgo crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto dynamic-map dynmap 30 set transform-set strong crypto map toX 20 ipsec-isakmp crypto map toX 20 match address acl_vpn crypto map toX 20 set peer 196.200.82.35 crypto map toX 20 set transform-set strong crypto map toX 30 ipsec-isakmp crypto map toX 30 match address acl_blgo crypto map toX 30 set peer 194.78.211.130 crypto map toX 30 set transform-set strong crypto map toX 9990 ipsec-isakmp dynamic dynmap crypto map toX interface outside isakmp enable outside isakmp key ******** address 196.200.82.35 netmask 255.255.255.255 isakmp key ******** address 194.78.211.130 netmask 255.255.255.255 isakmp identity address isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des isakmp policy 9 hash sha isakmp policy 9 group 1 isakmp policy 9 lifetime 86400 isakmp policy 19 authentication pre-share isakmp policy 19 encryption 3des isakmp policy 19 hash sha isakmp policy 19 group 2 isakmp policy 19 lifetime 86400 telnet timeout 5 ssh 194.7.174.162 255.255.255.255 outside ssh 194.7.174.163 255.255.255.255 outside ssh 10.102.156.0 255.255.252.0 inside ssh 10.102.155.0 255.255.255.0 inside ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:7458b1b938134f7d52ed82d4e2003210 Regrds, Kindy --------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services pr?f?r?s : v?rifiez vos nouveaux mails, lancez vos recherches et suivez l'actualit? en temps r?el. Cliquez ici. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060510/c3f49354/attachment.htm From chris.meidinger at badenIT.de Wed May 10 06:51:07 2006 From: chris.meidinger at badenIT.de (Meidinger Chris) Date: Wed, 10 May 2006 12:51:07 +0200 Subject: [VPN] Re: Pix doesn't respond after a while Message-ID: <763363C6C69C5A4B9735E3907164812A3FD009@bit123.badenit.intern> is a lot of data traversing the tunnel? maybe there is a size limit on one side? can you post a log from the pix during while ping is not working? also, can you get a log from the remote peer at that same time? Chris -----Original Message----- From: Kindy Sylla [mailto:kindy_s at yahoo.fr] Sent: Wed 10-May-06 12:14 To: Meidinger Chris; vpn at lists.shmoo.com Subject: RE: [VPN] Pix doesn't respond after a while Hi Chris, Thanks for the suggestion. I verify and the otherside has the same lifetime value. Any other idea? Any help would be great!!! Kindy Meidinger Chris a ?crit : Hi Kindy, It sounds like the tunnel lifetimes are not the same. You have 'isakmp policy 9 lifetime 86400' which means that the tunnel will be torn down and renegotiated after 86400 seconds. Does the other side have the same lifetime? If not, the peer gateway won't be ready to reneg the tunnel and will (probably) spit out a Bad SPI log message for each of your side's negotiation attempts. That's definately the first thing to check! HTH, Chris -----Original Message----- From: vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com on behalf of Kindy Sylla Sent: Tue 09-May-06 10:55 To: vpn at lists.shmoo.com Subject: [VPN] Pix doesn't respond after a while Hi, I am having a strange behaviour with a Cisco PIX Firewall Version 6.3(5). The configuration is done , the VPN are created between the 2 differents sites. The probl?me is after 5 to 6 hours of running, the ping to the remote hosts doesn't go through. When i try to ping a remote host, I see the followings line in the debug icmp trace: -request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5376 length=40 44: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152 45: ICMP echo-request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5632 length=40 46: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152 And When remote host try to ping a local machine, i can see the request coming without any reply. To get the ping work , we have to reload it. Do you have any idea? Please find below my config file : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password N7FecZuSHJlVZC2P encrypted passwd N7FecZuSHJlVZC2P encrypted hostname pixbenin domain-name boabenin.bj fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list acl_vpn permit icmp 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0 access-list acl_vpn permit ip 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128 pager lines 24 mtu outside 500 mtu inside 1500 ip address outside 81.91.235.147 255.255.255.192 ip address inside 10.102.155.135 255.255.255.128 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 nat (inside) 0 10.102.156.0 255.255.252.0 0 0 route outside 0.0.0.0 0.0.0.0 81.91.235.129 1 route inside 10.102.156.0 255.255.252.0 10.102.155.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 ip audit attack action alarm pdm history enable arp timeout 14400 nat (inside) 0 10.102.156.0 255.255.252.0 0 0 route outside 0.0.0.0 0.0.0.0 81.91.235.129 1 route inside 10.102.156.0 255.255.252.0 10.102.155.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto dynamic-map dynmap 30 set transform-set strong crypto map toX 20 ipsec-isakmp crypto map toX 20 match address acl_vpn crypto map toX 20 set peer 196.200.82.35 crypto map toX 20 set transform-set strong crypto map toX 30 ipsec-isakmp crypto map toX 30 match address acl_blgo crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto dynamic-map dynmap 30 set transform-set strong crypto map toX 20 ipsec-isakmp crypto map toX 20 match address acl_vpn crypto map toX 20 set peer 196.200.82.35 crypto map toX 20 set transform-set strong crypto map toX 30 ipsec-isakmp crypto map toX 30 match address acl_blgo crypto map toX 30 set peer 194.78.211.130 crypto map toX 30 set transform-set strong crypto map toX 9990 ipsec-isakmp dynamic dynmap crypto map toX interface outside isakmp enable outside isakmp key ******** address 196.200.82.35 netmask 255.255.255.255 isakmp key ******** address 194.78.211.130 netmask 255.255.255.255 isakmp identity address isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des isakmp policy 9 hash sha isakmp policy 9 group 1 isakmp policy 9 lifetime 86400 isakmp policy 19 authentication pre-share isakmp policy 19 encryption 3des isakmp policy 19 hash sha isakmp policy 19 group 2 isakmp policy 19 lifetime 86400 telnet timeout 5 ssh 194.7.174.162 255.255.255.255 outside ssh 194.7.174.163 255.255.255.255 outside ssh 10.102.156.0 255.255.252.0 inside ssh 10.102.155.0 255.255.255.0 inside ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:7458b1b938134f7d52ed82d4e2003210 Regrds, Kindy --------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services pr?f?r?s : v?rifiez vos nouveaux mails, lancez vos recherches et suivez l'actualit? en temps r?el. Cliquez ici. --------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services pr?f?r?s : v?rifiez vos nouveaux mails, lancez vos recherches et suivez l'actualit? en temps r?el. Cliquez ici. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060510/996c0165/attachment.htm From kindy_s at yahoo.fr Wed May 10 11:25:27 2006 From: kindy_s at yahoo.fr (Kindy Sylla) Date: Wed, 10 May 2006 17:25:27 +0200 (CEST) Subject: [VPN] Re: Pix doesn't respond after a while In-Reply-To: <763363C6C69C5A4B9735E3907164812A3FD009@bit123.badenit.intern> Message-ID: <20060510152527.29122.qmail@web26912.mail.ukl.yahoo.com> Can you please tell me how to get the information you are requesting. Specially how to get the log from the pix.. Thanks! Meidinger Chris a ?crit : is a lot of data traversing the tunnel? maybe there is a size limit on one side? can you post a log from the pix during while ping is not working? also, can you get a log from the remote peer at that same time? Chris -----Original Message----- From: Kindy Sylla [mailto:kindy_s at yahoo.fr] Sent: Wed 10-May-06 12:14 To: Meidinger Chris; vpn at lists.shmoo.com Subject: RE: [VPN] Pix doesn't respond after a while Hi Chris, Thanks for the suggestion. I verify and the otherside has the same lifetime value. Any other idea? Any help would be great!!! Kindy Meidinger Chris a ?crit : Hi Kindy, It sounds like the tunnel lifetimes are not the same. You have 'isakmp policy 9 lifetime 86400' which means that the tunnel will be torn down and renegotiated after 86400 seconds. Does the other side have the same lifetime? If not, the peer gateway won't be ready to reneg the tunnel and will (probably) spit out a Bad SPI log message for each of your side's negotiation attempts. That's definately the first thing to check! HTH, Chris -----Original Message----- From: vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com on behalf of Kindy Sylla Sent: Tue 09-May-06 10:55 To: vpn at lists.shmoo.com Subject: [VPN] Pix doesn't respond after a while Hi, I am having a strange behaviour with a Cisco PIX Firewall Version 6.3(5). The configuration is done , the VPN are created between the 2 differents sites. The probl?me is after 5 to 6 hours of running, the ping to the remote hosts doesn't go through. When i try to ping a remote host, I see the followings line in the debug icmp trace: -request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5376 length=40 44: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152 45: ICMP echo-request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5632 length=40 46: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152 And When remote host try to ping a local machine, i can see the request coming without any reply. To get the ping work , we have to reload it. Do you have any idea? Please find below my config file : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password N7FecZuSHJlVZC2P encrypted passwd N7FecZuSHJlVZC2P encrypted hostname pixbenin domain-name boabenin.bj fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list acl_vpn permit icmp 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0 access-list acl_vpn permit ip 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128 pager lines 24 mtu outside 500 mtu inside 1500 ip address outside 81.91.235.147 255.255.255.192 ip address inside 10.102.155.135 255.255.255.128 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 nat (inside) 0 10.102.156.0 255.255.252.0 0 0 route outside 0.0.0.0 0.0.0.0 81.91.235.129 1 route inside 10.102.156.0 255.255.252.0 10.102.155.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 ip audit attack action alarm pdm history enable arp timeout 14400 nat (inside) 0 10.102.156.0 255.255.252.0 0 0 route outside 0.0.0.0 0.0.0.0 81.91.235.129 1 route inside 10.102.156.0 255.255.252.0 10.102.155.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto dynamic-map dynmap 30 set transform-set strong crypto map toX 20 ipsec-isakmp crypto map toX 20 match address acl_vpn crypto map toX 20 set peer 196.200.82.35 crypto map toX 20 set transform-set strong crypto map toX 30 ipsec-isakmp crypto map toX 30 match address acl_blgo crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto dynamic-map dynmap 30 set transform-set strong crypto map toX 20 ipsec-isakmp crypto map toX 20 match address acl_vpn crypto map toX 20 set peer 196.200.82.35 crypto map toX 20 set transform-set strong crypto map toX 30 ipsec-isakmp crypto map toX 30 match address acl_blgo crypto map toX 30 set peer 194.78.211.130 crypto map toX 30 set transform-set strong crypto map toX 9990 ipsec-isakmp dynamic dynmap crypto map toX interface outside isakmp enable outside isakmp key ******** address 196.200.82.35 netmask 255.255.255.255 isakmp key ******** address 194.78.211.130 netmask 255.255.255.255 isakmp identity address isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des isakmp policy 9 hash sha isakmp policy 9 group 1 isakmp policy 9 lifetime 86400 isakmp policy 19 authentication pre-share isakmp policy 19 encryption 3des isakmp policy 19 hash sha isakmp policy 19 group 2 isakmp policy 19 lifetime 86400 telnet timeout 5 ssh 194.7.174.162 255.255.255.255 outside ssh 194.7.174.163 255.255.255.255 outside ssh 10.102.156.0 255.255.252.0 inside ssh 10.102.155.0 255.255.255.0 inside ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:7458b1b938134f7d52ed82d4e2003210 Regrds, Kindy --------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services pr?f?r?s : v?rifiez vos nouveaux mails, lancez vos recherches et suivez l'actualit? en temps r?el. Cliquez ici. --------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services pr?f?r?s : v?rifiez vos nouveaux mails, lancez vos recherches et suivez l'actualit? en temps r?el. Cliquez ici. --------------------------------- Yahoo! Mail r?invente le mail ! D?couvrez le nouveau Yahoo! Mail et son interface r?volutionnaire. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060510/cb666214/attachment.htm From kindy_s at yahoo.fr Wed May 10 06:14:14 2006 From: kindy_s at yahoo.fr (Kindy Sylla) Date: Wed, 10 May 2006 12:14:14 +0200 (CEST) Subject: [VPN] Re: Pix doesn't respond after a while In-Reply-To: <763363C6C69C5A4B9735E3907164812A3FD004@bit123.badenit.intern> Message-ID: <20060510101414.67320.qmail@web26909.mail.ukl.yahoo.com> Hi Chris, Thanks for the suggestion. I verify and the otherside has the same lifetime value. Any other idea? Any help would be great!!! Kindy Meidinger Chris a ?crit : Hi Kindy, It sounds like the tunnel lifetimes are not the same. You have 'isakmp policy 9 lifetime 86400' which means that the tunnel will be torn down and renegotiated after 86400 seconds. Does the other side have the same lifetime? If not, the peer gateway won't be ready to reneg the tunnel and will (probably) spit out a Bad SPI log message for each of your side's negotiation attempts. That's definately the first thing to check! HTH, Chris -----Original Message----- From: vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com on behalf of Kindy Sylla Sent: Tue 09-May-06 10:55 To: vpn at lists.shmoo.com Subject: [VPN] Pix doesn't respond after a while Hi, I am having a strange behaviour with a Cisco PIX Firewall Version 6.3(5). The configuration is done , the VPN are created between the 2 differents sites. The probl?me is after 5 to 6 hours of running, the ping to the remote hosts doesn't go through. When i try to ping a remote host, I see the followings line in the debug icmp trace: -request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5376 length=40 44: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152 45: ICMP echo-request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5632 length=40 46: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152 And When remote host try to ping a local machine, i can see the request coming without any reply. To get the ping work , we have to reload it. Do you have any idea? Please find below my config file : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password N7FecZuSHJlVZC2P encrypted passwd N7FecZuSHJlVZC2P encrypted hostname pixbenin domain-name boabenin.bj fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list acl_vpn permit icmp 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0 access-list acl_vpn permit ip 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0 access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128 access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128 pager lines 24 mtu outside 500 mtu inside 1500 ip address outside 81.91.235.147 255.255.255.192 ip address inside 10.102.155.135 255.255.255.128 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 nat (inside) 0 10.102.156.0 255.255.252.0 0 0 route outside 0.0.0.0 0.0.0.0 81.91.235.129 1 route inside 10.102.156.0 255.255.252.0 10.102.155.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 ip audit attack action alarm pdm history enable arp timeout 14400 nat (inside) 0 10.102.156.0 255.255.252.0 0 0 route outside 0.0.0.0 0.0.0.0 81.91.235.129 1 route inside 10.102.156.0 255.255.252.0 10.102.155.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto dynamic-map dynmap 30 set transform-set strong crypto map toX 20 ipsec-isakmp crypto map toX 20 match address acl_vpn crypto map toX 20 set peer 196.200.82.35 crypto map toX 20 set transform-set strong crypto map toX 30 ipsec-isakmp crypto map toX 30 match address acl_blgo crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto dynamic-map dynmap 30 set transform-set strong crypto map toX 20 ipsec-isakmp crypto map toX 20 match address acl_vpn crypto map toX 20 set peer 196.200.82.35 crypto map toX 20 set transform-set strong crypto map toX 30 ipsec-isakmp crypto map toX 30 match address acl_blgo crypto map toX 30 set peer 194.78.211.130 crypto map toX 30 set transform-set strong crypto map toX 9990 ipsec-isakmp dynamic dynmap crypto map toX interface outside isakmp enable outside isakmp key ******** address 196.200.82.35 netmask 255.255.255.255 isakmp key ******** address 194.78.211.130 netmask 255.255.255.255 isakmp identity address isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des isakmp policy 9 hash sha isakmp policy 9 group 1 isakmp policy 9 lifetime 86400 isakmp policy 19 authentication pre-share isakmp policy 19 encryption 3des isakmp policy 19 hash sha isakmp policy 19 group 2 isakmp policy 19 lifetime 86400 telnet timeout 5 ssh 194.7.174.162 255.255.255.255 outside ssh 194.7.174.163 255.255.255.255 outside ssh 10.102.156.0 255.255.252.0 inside ssh 10.102.155.0 255.255.255.0 inside ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:7458b1b938134f7d52ed82d4e2003210 Regrds, Kindy --------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services pr?f?r?s : v?rifiez vos nouveaux mails, lancez vos recherches et suivez l'actualit? en temps r?el. Cliquez ici. --------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services pr?f?r?s : v?rifiez vos nouveaux mails, lancez vos recherches et suivez l'actualit? en temps r?el. Cliquez ici. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060510/48bfcdf4/attachment.htm From chris.meidinger at badenIT.de Thu May 11 03:38:34 2006 From: chris.meidinger at badenIT.de (Meidinger Chris) Date: Thu, 11 May 2006 09:38:34 +0200 Subject: [VPN] Re: Pix doesn't respond after a while Message-ID: <763363C6C69C5A4B9735E3907164812A55C8AD@bit123.badenit.intern> this is the logging conf on an ASA5520 cluster of mine: logging enable logging timestamp logging standby logging asdm-buffer-size 300 logging console critical logging buffered informational logging flash-bufferwrap logging flash-minimum-free 6152 logging flash-maximum-allocation 10240 to get persistant logs, send them to a syslog server of ftp. At a conf prompt do help logging for the syntax. Cheers, Chris > -----Original Message----- > From: vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com > [mailto:vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com > ] On Behalf Of Kindy Sylla > Sent: Wednesday, May 10, 2006 5:25 PM > To: Meidinger Chris; vpn at lists.shmoo.com > Subject: [VPN] Re: Pix doesn't respond after a while > > Can you please tell me how to get the information you are > requesting. Specially how to get the log from the pix.. > > Thanks! > Meidinger Chris a ?crit : > > > is a lot of data traversing the tunnel? maybe there is > a size limit on one side? > > can you post a log from the pix during while ping is > not working? > > also, can you get a log from the remote peer at that same time? > > Chris > > -----Original Message----- > From: Kindy Sylla [mailto:kindy_s at yahoo.fr] > Sent: Wed 10-May-06 12:14 > To: Meidinger Chris; vpn at lists.shmoo.com > Subject: RE: [VPN] Pix doesn't respond after a while > > Hi Chris, > > Thanks for the suggestion. > > I verify and the otherside has the same lifetime value. > > Any other idea? Any help would be great!!! > > Kindy > > Meidinger Chris a ?crit : > Hi Kindy, > > It sounds like the tunnel lifetimes are not the same. > > You have 'isakmp policy 9 lifetime 86400' which means > that the tunnel will be torn down and renegotiated after > 86400 seconds. Does the other side have the same lifetime? If > not, the peer gateway won't be ready to reneg the tunnel and > will (probably) spit out a Bad SPI log message for each of > your side's negotiation attempts. > > That's definately the first thing to check! > > HTH, > > Chris > > -----Original Message----- > From: > vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com on > behalf of Kindy Sylla > Sent: Tue 09-May-06 10:55 > To: vpn at lists.shmoo.com > Subject: [VPN] Pix doesn't respond after a while > > Hi, > > I am having a strange behaviour with a Cisco PIX > Firewall Version 6.3(5). The configuration is done , the VPN > are created between the 2 differents sites. The probl?me is > after 5 to 6 hours of running, the ping to the remote hosts > doesn't go through. When i try to ping a remote host, I see > the followings line in the debug icmp trace: > > -request from inside:10.102.158.152 to 10.5.113.142 > ID=512 seq=5376 length=40 > 44: ICMP echo-request: translating > inside:10.102.158.152 to outside:10.102.158.152 > 45: ICMP echo-request from inside:10.102.158.152 to > 10.5.113.142 ID=512 seq=5632 length=40 > 46: ICMP echo-request: translating > inside:10.102.158.152 to outside:10.102.158.152 > > And When remote host try to ping a local machine, i > can see the request coming without any reply. > > To get the ping work , we have to reload it. > > Do you have any idea? > > Please find below my config file : > PIX Version 6.3(5) > interface ethernet0 auto > interface ethernet1 auto > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > enable password N7FecZuSHJlVZC2P encrypted > passwd N7FecZuSHJlVZC2P encrypted > hostname pixbenin > domain-name boabenin.bj > fixup protocol dns maximum-length 512 > fixup protocol ftp 21 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol http 80 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol sip 5060 > fixup protocol sip udp 5060 > fixup protocol skinny 2000 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol http 80 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol sip 5060 > fixup protocol sip udp 5060 > fixup protocol skinny 2000 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol tftp 69 > names > access-list acl_vpn permit icmp 10.102.156.0 > 255.255.252.0 192.168.0.0 255.255.255.0 > access-list acl_vpn permit ip 10.102.156.0 > 255.255.252.0 192.168.0.0 255.255.255.0 > access-list acl_blgo permit icmp 10.102.156.0 > 255.255.252.0 10.5.113.128 255.255.255.224 > access-list acl_blgo permit ip 10.102.156.0 > 255.255.252.0 10.5.113.128 255.255.255.224 > access-list acl_blgo permit icmp 10.102.156.0 > 255.255.252.0 10.102.128.0 255.255.254.0 > access-list acl_blgo permit ip 10.102.156.0 > 255.255.252.0 10.102.128.0 255.255.254.0 > access-list acl_blgo permit icmp 10.102.156.0 > 255.255.252.0 10.102.130.0 255.255.255.128 > access-list acl_blgo permit ip 10.102.156.0 > 255.255.252.0 10.102.130.0 255.255.255.128 > pager lines 24 > mtu outside 500 > mtu inside 1500 > ip address outside 81.91.235.147 255.255.255.192 > ip address inside 10.102.155.135 255.255.255.128 > ip audit info action alarm > ip audit attack action alarm > pdm history enable > arp timeout 14400 > nat (inside) 0 10.102.156.0 255.255.252.0 0 0 > route outside 0.0.0.0 0.0.0.0 81.91.235.129 1 > route inside 10.102.156.0 255.255.252.0 10.102.155.129 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 > rpc 0:10:00 h225 1:00:00 > ip audit attack action alarm > pdm history enable > arp timeout 14400 > nat (inside) 0 10.102.156.0 255.255.252.0 0 0 > route outside 0.0.0.0 0.0.0.0 81.91.235.129 1 > route inside 10.102.156.0 255.255.252.0 10.102.155.129 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 > rpc 0:10:00 h225 1:00:00 > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout sip-disconnect 0:02:00 sip-invite 0:03:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server TACACS+ max-failed-attempts 3 > aaa-server TACACS+ deadtime 10 > aaa-server RADIUS protocol radius > aaa-server RADIUS max-failed-attempts 3 > aaa-server RADIUS deadtime 10 > aaa-server LOCAL protocol local > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > crypto ipsec transform-set strong esp-3des esp-sha-hmac > crypto dynamic-map dynmap 30 set transform-set strong > crypto map toX 20 ipsec-isakmp > crypto map toX 20 match address acl_vpn > crypto map toX 20 set peer 196.200.82.35 > crypto map toX 20 set transform-set strong > crypto map toX 30 ipsec-isakmp > crypto map toX 30 match address acl_blgo > crypto ipsec transform-set strong esp-3des esp-sha-hmac > crypto dynamic-map dynmap 30 set transform-set strong > crypto map toX 20 ipsec-isakmp > crypto map toX 20 match address acl_vpn > crypto map toX 20 set peer 196.200.82.35 > crypto map toX 20 set transform-set strong > crypto map toX 30 ipsec-isakmp > crypto map toX 30 match address acl_blgo > crypto map toX 30 set peer 194.78.211.130 > crypto map toX 30 set transform-set strong > crypto map toX 9990 ipsec-isakmp dynamic dynmap > crypto map toX interface outside > isakmp enable outside > isakmp key ******** address 196.200.82.35 netmask > 255.255.255.255 > isakmp key ******** address 194.78.211.130 netmask > 255.255.255.255 > isakmp identity address > isakmp policy 9 authentication pre-share > isakmp policy 9 encryption 3des > isakmp policy 9 hash sha > isakmp policy 9 group 1 > isakmp policy 9 lifetime 86400 > isakmp policy 19 authentication pre-share > isakmp policy 19 encryption 3des > isakmp policy 19 hash sha > isakmp policy 19 group 2 > isakmp policy 19 lifetime 86400 > telnet timeout 5 > ssh 194.7.174.162 255.255.255.255 outside > ssh 194.7.174.163 255.255.255.255 outside > ssh 10.102.156.0 255.255.252.0 inside > ssh 10.102.155.0 255.255.255.0 inside > ssh timeout 5 > console timeout 0 > terminal width 80 > Cryptochecksum:7458b1b938134f7d52ed82d4e2003210 > > Regrds, > > Kindy > > > > --------------------------------- > Faites de Yahoo! votre page d'accueil sur le web pour > retrouver directement vos services pr?f?r?s : v?rifiez vos > nouveaux mails, lancez vos recherches et suivez l'actualit? > en temps r?el. Cliquez ici. > > > > > > --------------------------------- > Faites de Yahoo! votre page d'accueil sur le web pour > retrouver directement vos services pr?f?r?s : v?rifiez vos > nouveaux mails, lancez vos recherches et suivez l'actualit? > en temps r?el. Cliquez ici. > > > > > ________________________________ > > Yahoo! Mail r?invente le mail ! D?couvrez le nouveau Yahoo! > Mail > com/mail/nouveaumail.html> et son interface r?volutionnaire. > From kindy_s at yahoo.fr Fri May 12 11:12:44 2006 From: kindy_s at yahoo.fr (Kindy Sylla) Date: Fri, 12 May 2006 17:12:44 +0200 (CEST) Subject: [VPN] Re: Pix doesn't respond after a while In-Reply-To: <763363C6C69C5A4B9735E3907164812A55C8AD@bit123.badenit.intern> Message-ID: <20060512151244.73825.qmail@web26909.mail.ukl.yahoo.com> I enabled the logging and i can see incoming ICMP trame coming from the remote VPN on the console. this help a lot thanks! However, i have probleme to configure the syslog server. I am getting this error : syslogd: restarted. Debugging disabled, SIGUSR1 to turn on debugging. any idea??? cheers, Kindy Meidinger Chris a ?crit : this is the logging conf on an ASA5520 cluster of mine: logging enable logging timestamp logging standby logging asdm-buffer-size 300 logging console critical logging buffered informational logging flash-bufferwrap logging flash-minimum-free 6152 logging flash-maximum-allocation 10240 to get persistant logs, send them to a syslog server of ftp. At a conf prompt do help logging for the syntax. Cheers, Chris > -----Original Message----- > From: vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com > [mailto:vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com > ] On Behalf Of Kindy Sylla > Sent: Wednesday, May 10, 2006 5:25 PM > To: Meidinger Chris; vpn at lists.shmoo.com > Subject: [VPN] Re: Pix doesn't respond after a while > > Can you please tell me how to get the information you are > requesting. Specially how to get the log from the pix.. > > Thanks! > Meidinger Chris a ?crit : > > > is a lot of data traversing the tunnel? maybe there is > a size limit on one side? > > can you post a log from the pix during while ping is > not working? > > also, can you get a log from the remote peer at that same time? > > Chris > > -----Original Message----- > From: Kindy Sylla [mailto:kindy_s at yahoo.fr] > Sent: Wed 10-May-06 12:14 > To: Meidinger Chris; vpn at lists.shmoo.com > Subject: RE: [VPN] Pix doesn't respond after a while > > Hi Chris, > > Thanks for the suggestion. > > I verify and the otherside has the same lifetime value. > > Any other idea? Any help would be great!!! > > Kindy > > Meidinger Chris a ?crit : > Hi Kindy, > > It sounds like the tunnel lifetimes are not the same. > > You have 'isakmp policy 9 lifetime 86400' which means > that the tunnel will be torn down and renegotiated after > 86400 seconds. Does the other side have the same lifetime? If > not, the peer gateway won't be ready to reneg the tunnel and > will (probably) spit out a Bad SPI log message for each of > your side's negotiation attempts. > > That's definately the first thing to check! > > HTH, > > Chris > > -----Original Message----- > From: > vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com on > behalf of Kindy Sylla > Sent: Tue 09-May-06 10:55 > To: vpn at lists.shmoo.com > Subject: [VPN] Pix doesn't respond after a while > > Hi, > > I am having a strange behaviour with a Cisco PIX > Firewall Version 6.3(5). The configuration is done , the VPN > are created between the 2 differents sites. The probl?me is > after 5 to 6 hours of running, the ping to the remote hosts > doesn't go through. When i try to ping a remote host, I see > the followings line in the debug icmp trace: > > -request from inside:10.102.158.152 to 10.5.113.142 > ID=512 seq=5376 length=40 > 44: ICMP echo-request: translating > inside:10.102.158.152 to outside:10.102.158.152 > 45: ICMP echo-request from inside:10.102.158.152 to > 10.5.113.142 ID=512 seq=5632 length=40 > 46: ICMP echo-request: translating > inside:10.102.158.152 to outside:10.102.158.152 > > And When remote host try to ping a local machine, i > can see the request coming without any reply. > > To get the ping work , we have to reload it. > > Do you have any idea? > > Please find below my config file : > PIX Version 6.3(5) > interface ethernet0 auto > interface ethernet1 auto > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > enable password N7FecZuSHJlVZC2P encrypted > passwd N7FecZuSHJlVZC2P encrypted > hostname pixbenin > domain-name boabenin.bj > fixup protocol dns maximum-length 512 > fixup protocol ftp 21 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol http 80 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol sip 5060 > fixup protocol sip udp 5060 > fixup protocol skinny 2000 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol http 80 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol sip 5060 > fixup protocol sip udp 5060 > fixup protocol skinny 2000 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol tftp 69 > names > access-list acl_vpn permit icmp 10.102.156.0 > 255.255.252.0 192.168.0.0 255.255.255.0 > access-list acl_vpn permit ip 10.102.156.0 > 255.255.252.0 192.168.0.0 255.255.255.0 > access-list acl_blgo permit icmp 10.102.156.0 > 255.255.252.0 10.5.113.128 255.255.255.224 > access-list acl_blgo permit ip 10.102.156.0 > 255.255.252.0 10.5.113.128 255.255.255.224 > access-list acl_blgo permit icmp 10.102.156.0 > 255.255.252.0 10.102.128.0 255.255.254.0 > access-list acl_blgo permit ip 10.102.156.0 > 255.255.252.0 10.102.128.0 255.255.254.0 > access-list acl_blgo permit icmp 10.102.156.0 > 255.255.252.0 10.102.130.0 255.255.255.128 > access-list acl_blgo permit ip 10.102.156.0 > 255.255.252.0 10.102.130.0 255.255.255.128 > pager lines 24 > mtu outside 500 > mtu inside 1500 > ip address outside 81.91.235.147 255.255.255.192 > ip address inside 10.102.155.135 255.255.255.128 > ip audit info action alarm > ip audit attack action alarm > pdm history enable > arp timeout 14400 > nat (inside) 0 10.102.156.0 255.255.252.0 0 0 > route outside 0.0.0.0 0.0.0.0 81.91.235.129 1 > route inside 10.102.156.0 255.255.252.0 10.102.155.129 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 > rpc 0:10:00 h225 1:00:00 > ip audit attack action alarm > pdm history enable > arp timeout 14400 > nat (inside) 0 10.102.156.0 255.255.252.0 0 0 > route outside 0.0.0.0 0.0.0.0 81.91.235.129 1 > route inside 10.102.156.0 255.255.252.0 10.102.155.129 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 > rpc 0:10:00 h225 1:00:00 > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout sip-disconnect 0:02:00 sip-invite 0:03:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server TACACS+ max-failed-attempts 3 > aaa-server TACACS+ deadtime 10 > aaa-server RADIUS protocol radius > aaa-server RADIUS max-failed-attempts 3 > aaa-server RADIUS deadtime 10 > aaa-server LOCAL protocol local > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > crypto ipsec transform-set strong esp-3des esp-sha-hmac > crypto dynamic-map dynmap 30 set transform-set strong > crypto map toX 20 ipsec-isakmp > crypto map toX 20 match address acl_vpn > crypto map toX 20 set peer 196.200.82.35 > crypto map toX 20 set transform-set strong > crypto map toX 30 ipsec-isakmp > crypto map toX 30 match address acl_blgo > crypto ipsec transform-set strong esp-3des esp-sha-hmac > crypto dynamic-map dynmap 30 set transform-set strong > crypto map toX 20 ipsec-isakmp > crypto map toX 20 match address acl_vpn > crypto map toX 20 set peer 196.200.82.35 > crypto map toX 20 set transform-set strong > crypto map toX 30 ipsec-isakmp > crypto map toX 30 match address acl_blgo > crypto map toX 30 set peer 194.78.211.130 > crypto map toX 30 set transform-set strong > crypto map toX 9990 ipsec-isakmp dynamic dynmap > crypto map toX interface outside > isakmp enable outside > isakmp key ******** address 196.200.82.35 netmask > 255.255.255.255 > isakmp key ******** address 194.78.211.130 netmask > 255.255.255.255 > isakmp identity address > isakmp policy 9 authentication pre-share > isakmp policy 9 encryption 3des > isakmp policy 9 hash sha > isakmp policy 9 group 1 > isakmp policy 9 lifetime 86400 > isakmp policy 19 authentication pre-share > isakmp policy 19 encryption 3des > isakmp policy 19 hash sha > isakmp policy 19 group 2 > isakmp policy 19 lifetime 86400 > telnet timeout 5 > ssh 194.7.174.162 255.255.255.255 outside > ssh 194.7.174.163 255.255.255.255 outside > ssh 10.102.156.0 255.255.252.0 inside > ssh 10.102.155.0 255.255.255.0 inside > ssh timeout 5 > console timeout 0 > terminal width 80 > Cryptochecksum:7458b1b938134f7d52ed82d4e2003210 > > Regrds, > > Kindy > > > > --------------------------------- > Faites de Yahoo! votre page d'accueil sur le web pour > retrouver directement vos services pr?f?r?s : v?rifiez vos > nouveaux mails, lancez vos recherches et suivez l'actualit? > en temps r?el. Cliquez ici. > > > > > > --------------------------------- > Faites de Yahoo! votre page d'accueil sur le web pour > retrouver directement vos services pr?f?r?s : v?rifiez vos > nouveaux mails, lancez vos recherches et suivez l'actualit? > en temps r?el. Cliquez ici. > > > > > ________________________________ > > Yahoo! Mail r?invente le mail ! D?couvrez le nouveau Yahoo! > Mail > > com/mail/nouveaumail.html> et son interface r?volutionnaire. > _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn --------------------------------- Yahoo! Mail r?invente le mail ! D?couvrez le nouveau Yahoo! Mail et son interface r?volutionnaire. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060512/5b856a87/attachment.htm From rage290 at gmail.com Sun May 28 06:02:13 2006 From: rage290 at gmail.com (Ryan) Date: Sun, 28 May 2006 10:02:13 +0000 (UTC) Subject: [VPN] Re: LAN-to-LAN with Overlapping networks and PAT References: <20050331180118.55827.qmail@web26005.mail.ukl.yahoo.com> Message-ID: Siddhartha Jain yahoo.co.uk> writes: > > Hello, > > I am trying to get a LAN-to-LAN IPSec VPN to work. > > Site A is 10.250.0.0/16 > Site B is 10.0.0.0./8 > > On Site A, the inside network accesses the internet by > being PAT-ted to a pool of four global IP addresses - > 64.aa.bb.cc/29 > > Site B has NAT-ted the hosts to be connected to over > the VPN with 192.168.40.0/24 > > Now my question is that how do I configure Site A > router wrt to NAT. > > Will it work if I leave the PAT on Site A as it is and > define my interesting traffic as: > access-list 190 permit ip 64.aa.bb.cc 0.0.0.8 host > 192.168.40.1 > > The PAT on site A is defined as: > ip nat pool tcsux 64.aa.bb.c1 64.aa.bb.c4 > prefix-length 29 > ip nat inside source list 163 pool tcsux overload > > On Site B, the interesting traffic would then be > between 192.168.40.0/24 and 64.aa.bb.cc/29 > > Will this work? Ofcourse, I can punch in the config > and see if it works but unfortunately Site B isn't > under my command so I need to suggest the config to > the Site B admin. > > Thanks, > > Siddhartha Jain (CISSP) > > My Gear: Canon Digital 300D with Canon 18-55mm f/3.5-5.6 > : Minolta Maxxum 5 with Tamron 28-200mm f/3.8-5.6 Super LD IF > : Pentax M42 mount Super-Takumar 50mm f/1.4 > : Jupiter M42 mount 200mm 21m f4 > : Mahindra Bolero GLX > > The Bombay Amateur Photographers Club > http://groups.yahoo.com/group/tbapc/ > > Mahindra & Mahindra Jeepers > http://autos.groups.yahoo.com/group/mmjeeps/ > > Send instant messages to your online friends http://uk.messenger.yahoo.com > Hi, with a site to site tunnel, you need to avoid NAT when communicating with the remote peer and remote networks. Also, you should setup rules to allow traffic between the internal nets locally and remote....not external nets. So, you would have an ACL allowing all traffic to go bidirectional from 10.250.0.0/16 to 10.0.0.0/8,192.168.40.0/24; then just make sure you have static routes setup for the remote networks. The PAT is fine as long as it does not apply to the remote peer gateway or remote networks. All traffic except the needed tunnel traffic should hide behind the PAT....so basically all networks except the 10.250.0.0/16 network should hide behind the PAT on Site A. Configuring Site A wrt the NAT: If you don't have control over the NAT (like with an ISP), you can turn on "Enable NAT-T transversal" on Site A. With this enabled, you will have innacurate monitoring of the Site B interface that's NAT'd. It will report the tunnel is down alot, when it's still up. But, the tunnel will work fine. I don't believe that leaving the PAT on Site A will work. For one thing, Site A is not going to be able to talk to the 192.168.40.0/24 network until the tunnel is built. And, the ACLs/policies are validated first...before Phase 1 IKE even starts. So, you need to have Site B's public IP...or use the first hop (outbound)for Site B. Make sure Site B Admin is allowing the tunnel traffic to pass through the router/gateway that leads to the 192.168.40.0 network. UDP 500, UDP 4500, TCP 500, TCP 10000, UDP 10000, IP51, IP47 Hope this helps. From rage290 at gmail.com Sun May 28 06:28:18 2006 From: rage290 at gmail.com (Ryan) Date: Sun, 28 May 2006 10:28:18 +0000 (UTC) Subject: [VPN] Re: Checkpoint VPN References: <4e4f8ce405040504435ecdcd6b@mail.gmail.com> Message-ID: Sajid Fiaz gmail.com> writes: > > Hello, > > I wanted to setup Site to Site VPN with Checkpoint Firewall-1 NG FP-3, > and ISA Server 2004, can some of you tell me that where can i find the > exact information about that??? > > 2nd is that I wanted to allow my clients to dial VPN connection from > there machines while they are behind Checkpoint Firewall (NAT > Clients). I canot find any useful information about this. > You have to add the gateway on the Checkpoint as a Interoperable Device. Easiest way to establish dial vpn connections is using PPTP or L2TP. Allow PPTP (TCP 1723) both directions on the Checkpoint; and also allow UDP500, ESP, AH, GRE and UDP4500. Also, setup xAuth using LDAP, Kerberos or RADIUS. The LOCAL db for Checkpoint NG is limited. Also make sure that the dial vpn clients behind your checkpoint are NAT'd behind the public interface and not a DIP pool. Otherwise they will have problems connecting over PPTP. From tsimons at delphi-tech.com Tue May 30 20:29:51 2006 From: tsimons at delphi-tech.com (Todd M. Simons) Date: Tue, 30 May 2006 20:29:51 -0400 Subject: [VPN] VPN to Netgear FVS318 v2.4 Message-ID: <6BEB7C2F4C712045AA210FC242934F7501D84ABE@NJ-EXCHANGE1.AD.dti> Hello All We have a 20 bit subnet mask (255.255.240.0 aka 0.0 thru 15.255), We're trying to setup a VPN to a Netgear FVS318 v2.1 but can't get Phase 2 to come up for our entire subnet. We can bring up a VPN to a single host in our subnet, or to a Class C section ( x.x.x.1 to x.x.x.255), but not our 20bit mask (x.x.0.1 to x.x.15.255) The Netgear requires a start and end address (not a subnet and mask) on its VPN settings. We've tried all combinations. The netgear side is odd, for the Class C it takes 1 to 255 as beginning and end address, not to 254. I tried all different combinations with the remote Netgear admin, and got nothing. I've asked him to upgrade to the lastest firmware (v2.4) Has anyone ever setup a VPN to this model Netgear? Thanks, ~Todd _____________________________ Todd M. Simons IT Supervisor Delphi Technology, Inc New Brunswick, NJ ########################################### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.f-secure.com/ SPONSORED LINKS Technical support Computer security Computer technical support Computer training Free computer technical support _____ YAHOO! GROUPS LINKS * Visit your group "SymantecFirewalls " on the web. * To unsubscribe from this group, send an email to: SymantecFirewalls-unsubscribe at yahoogroups.com * Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service . _____ From tsimons at delphi-tech.com Wed May 31 10:48:07 2006 From: tsimons at delphi-tech.com (Todd M. Simons) Date: Wed, 31 May 2006 10:48:07 -0400 Subject: [VPN] VPN to Netgear FVS318 v2.4 Message-ID: <6BEB7C2F4C712045AA210FC242934F7501D84ADA@NJ-EXCHANGE1.AD.dti> Hello All We have a 20 bit subnet mask (255.255.240.0 aka 0.0 thru 15.255), We're trying to setup a VPN to a Netgear FVS318 v2.1 but can't get Phase 2 to come up for our entire subnet. We can bring up a VPN to a single host in our subnet, or to a Class C section ( x.x.x.1 to x.x.x.255), but not our 20bit mask (x.x.0.1 to x.x.15.255) The Netgear requires a start and end address (not a subnet and mask) on its VPN settings. We've tried all combinations. The netgear side is odd, for the Class C it takes 1 to 255 as beginning and end address, not to 254. I tried all different combinations with the remote Netgear admin, and got nothing. I've asked him to upgrade to the lastest firmware (v2.4) Has anyone ever setup a VPN to this model Netgear? Thanks, ~Todd _____________________________ Todd M. Simons IT Supervisor Delphi Technology, Inc New Brunswick, NJ ########################################### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.f-secure.com/ SPONSORED LINKS Technical support Computer security Computer technical support Computer training Free computer technical support _____ YAHOO! GROUPS LINKS * Visit your group "SymantecFirewalls " on the web. * To unsubscribe from this group, send an email to: SymantecFirewalls-unsubscribe at yahoogroups.com * Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service . _____ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060531/4a3f83e9/attachment.htm