From zmmay at hotmail.com Mon Sep 4 11:02:26 2006 From: zmmay at hotmail.com (zoe) Date: Mon, 4 Sep 2006 16:02:26 +0100 Subject: [VPN] Re: fw1 site to site vpn subnet conflict In-Reply-To: <8B7306277368B04A9FFF63141947A48F0347A1B5@msecho3.msfc.nasa.gov> Message-ID: I can't change the subnets at either end and I can't change the IP's on any of the servers. When I access hosts on their subnet I can use the real addresses of their hosts because I'm not using the subnet that these hosts are on in my network. Example scenario - My network = 192.168.100.0. I apply a rule that NAT's this behind 192.168.98.0 for connections to client - Hosts on client network that I need to access are in the 192.168.99.0 I'm not using this range at all so hosts on my network can use the real addresses to get to servers on client network - Client needs to get to some of my servers. His clients can't use the real addresses of my servers because they will be routed off to the 192.168.100 subnet on their network. - To overcome this I tried setting up a static nat rule like the one below for one of the hosts that they are trying to access. E.g original packet = src=client_encryption_domain dest=192.168.98.10 translated packet = destination=192.168.100.10 original packet = src=192.168.100.10 dest=client_encryption_domain translated packet = source=192.168.100.10 I initially got errors (dropped packet forwarded between two interfaces) until I set up a static route on the firewall (e.g 192.168.98.10 255.255.255.255 gw 192.168.100.10) After this I did see the encypted traffic coming through when they tried to access the host using the nat address (192.168.98.10) but they didn't get any response from the machine and I couldn't see any return traffic. Cheers Zoe -----Original Message----- From: Smith, Duane [mailto:Duane.Smith at nasa.gov] Sent: 31 August 2006 23:02 To: Ken Livingston; zmmay at hotmail.com; vpn at lists.shmoo.com Subject: RE: [VPN] Re: fw1 site to site vpn subnet conflict We have a similar configuration involving a datacenter that wanted us to interface with servers in a 10.x network. I don't see why you can't use the nat'ing solution in both directions. They set the nat'ing rule up on their end and we connect to them just fine. They had to add an IP address from a different 10.y subnet to a few of their servers and nat the 10.y so that the nat rule would not apply to other integrations where the 10.x was already in production. In short: why is you nat rule "directional"? drs -----Original Message----- From: vpn-bounces+duane.smith=msfc.nasa.gov at lists.shmoo.com [mailto:vpn-bounces+duane.smith=msfc.nasa.gov at lists.shmoo.com] On Behalf Of Ken Livingston Sent: Thursday, August 31, 2006 8:32 AM To: vpn at lists.shmoo.com Subject: [VPN] Re: fw1 site to site vpn subnet conflict I take it that it would be too much to change either your private network subnet or the subnet on the other end which conflicts with yours? I think that's going to be the only thing you can do in this case. If the individual devices on the remote end don't need access to the rest of their network, you can try changing their default gateway to the IP address of the VPN endpoint on the remote side and that should allow their traffic to pass through the VPN correctly, but they won't be able to access the other network subnets on their own side. Maybe someone else have other ideas but I think you'll have to change one side or the other in order to make this work properly. Undrhil ----- Original Message ----- From: "zoe" To: Sent: Wednesday, August 30, 2006 11:30 AM Subject: [VPN] fw1 site to site vpn subnet conflict > Hi > > I have a site to site vpn with a client (fw1 at each end). I only have one > private subnet behind my firewall but my client has many and one of > these conflicts with mine. > Initially I only needed this connection to work one way (us --> them) so I > put a manual nat rule in place which hide nats my /24 behind a > different private /24 for connections to the client. This works fine > > Now I have been asked to enable inbound traffic to certain hosts from the > client (them --> us). They can't use the real addresses of my hosts as > they would be routed to their own network. Any suggestions on how > this can be done (if at all)? I have tried a few things including adding > static nat inbound to the few hosts they need to access but have had no > success. I can post more config if anyone thinks they can help > > Thanks > > Zoe > > > > > > ------------------------------------------------------------------------ --- ----- > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From travis at traviswatson.com Mon Sep 4 14:37:15 2006 From: travis at traviswatson.com (Travis Watson) Date: Mon, 04 Sep 2006 11:37:15 -0700 Subject: [VPN] Re: fw1 site to site vpn subnet conflict In-Reply-To: References: Message-ID: <44FC725B.6050300@traviswatson.com> Zoe, I think you would be best off with a pool NAT. If both sides are 192.168.x, you can make a network object for something in 10.x or 172.16.x, or whatever, and have the route for that netblock to point to the internal core router, which will take care of the rest of the routing logic from there. It's been years since I've worked with a Chokepoint, but I believe that you put the netblock in the encrypt rule itself (and make sure it is part of the encryption domain and anti-spoofing group so you don't get anti-spoofing errors). This way you don't have to worry about making NAT rules and it gives you room for growth if/when this situation comes up again. You *may* have to play with the SA's on both sides, but I don't think so (CP has their own proprietary way of dealing with SA's, but it's pretty close to everyone else). Pity you don't have Netscreens--they have a much more elegant solution to the problem you're facing. But CP can handle it, I believe. --Travis zoe wrote: >I can't change the subnets at either end and I can't change the IP's on any >of the servers. When I access hosts on their subnet I can use the real >addresses of their hosts because I'm not using the subnet that these hosts >are on in my network. > > >Example scenario > >- My network = 192.168.100.0. I apply a rule that NAT's this behind >192.168.98.0 for connections to client >- Hosts on client network that I need to access are in the 192.168.99.0 I'm >not using this range at all so hosts on my network can use the real >addresses to get to servers on client network >- Client needs to get to some of my servers. His clients can't use the real >addresses of my servers because they will be routed off to the 192.168.100 >subnet on their network. >- To overcome this I tried setting up a static nat rule like the one below >for one of the hosts that they are trying to access. >E.g original packet = src=client_encryption_domain dest=192.168.98.10 > translated packet = destination=192.168.100.10 > original packet = src=192.168.100.10 dest=client_encryption_domain > translated packet = source=192.168.100.10 > >I initially got errors (dropped packet forwarded between two interfaces) >until I set up a static route on the firewall (e.g 192.168.98.10 >255.255.255.255 gw 192.168.100.10) >After this I did see the encypted traffic coming through when they tried to >access the host using the nat address (192.168.98.10) but they didn't get >any response from the machine and I couldn't see any return traffic. > >Cheers > >Zoe > > >-----Original Message----- >From: Smith, Duane [mailto:Duane.Smith at nasa.gov] >Sent: 31 August 2006 23:02 >To: Ken Livingston; zmmay at hotmail.com; vpn at lists.shmoo.com >Subject: RE: [VPN] Re: fw1 site to site vpn subnet conflict > >We have a similar configuration involving a datacenter that wanted us to >interface with servers in a 10.x network. I don't see why you can't use the >nat'ing solution in both directions. They set the nat'ing rule up on their >end and we connect to them just fine. They had to add an IP address from a >different 10.y subnet to a few of their servers and nat the 10.y so that the >nat rule would not apply to other integrations where the 10.x was already in >production. In short: why is you nat rule "directional"? > >drs > >-----Original Message----- >From: vpn-bounces+duane.smith=msfc.nasa.gov at lists.shmoo.com >[mailto:vpn-bounces+duane.smith=msfc.nasa.gov at lists.shmoo.com] On Behalf Of >Ken Livingston >Sent: Thursday, August 31, 2006 8:32 AM >To: vpn at lists.shmoo.com >Subject: [VPN] Re: fw1 site to site vpn subnet conflict > >I take it that it would be too much to change either your private network >subnet or the subnet on the other end which conflicts with yours? I think >that's going to be the only thing you can do in this case. If the >individual devices on the remote end don't need access to the rest of their >network, you can try changing their default gateway to the IP address of the >VPN endpoint on the remote side and that should allow their traffic to pass >through the VPN correctly, but they won't be able to access the other >network subnets on their own side. > >Maybe someone else have other ideas but I think you'll have to change one >side or the other in order to make this work properly. > >Undrhil > >----- Original Message ----- >From: "zoe" >To: >Sent: Wednesday, August 30, 2006 11:30 AM >Subject: [VPN] fw1 site to site vpn subnet conflict > > > > >>Hi >> >>I have a site to site vpn with a client (fw1 at each end). I only have >> >> >one > > >>private subnet behind my firewall but my client has many and one of >>these conflicts with mine. >>Initially I only needed this connection to work one way (us --> them) >> >> >so >I > > >>put a manual nat rule in place which hide nats my /24 behind a >>different private /24 for connections to the client. This works fine >> >>Now I have been asked to enable inbound traffic to certain hosts from >> >> >the > > >>client (them --> us). They can't use the real addresses of my hosts as >>they would be routed to their own network. Any suggestions on >> >> >how > > >>this can be done (if at all)? I have tried a few things including >> >> >adding > > >>static nat inbound to the few hosts they need to access but have had >> >> >no > > >>success. I can post more config if anyone thinks they can help >> >>Thanks >> >>Zoe >> >> >> >> >> >> >> >> > > >------------------------------------------------------------------------ >--- >----- > > > > >>_______________________________________________ >>VPN mailing list >>VPN at lists.shmoo.com >>http://lists.shmoo.com/mailman/listinfo/vpn >> >> > >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn > >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn > > > From jsdy at center.osis.gov Tue Sep 5 12:17:40 2006 From: jsdy at center.osis.gov (Joseph S D Yao) Date: Tue, 5 Sep 2006 12:17:40 -0400 Subject: [VPN] Re: fw1 site to site vpn subnet conflict In-Reply-To: <000001c6d033$2285c760$5201a8c0@cartesian.co.uk> References: <8B7306277368B04A9FFF63141947A48F0347A1B5@msecho3.msfc.nasa.gov> <000001c6d033$2285c760$5201a8c0@cartesian.co.uk> Message-ID: <20060905161740.GA30608@core.center.osis.gov> If you dual-proxy with two firewalls, you can use DNS internally to each network but not resolve each other's IP addresses. you - fw#1 ----------- fw#2 - them IP address network unused on either side To elaborate: Say, you are using all 10.0's, 10.1's, 10.2's, and 10.3's, and they are using 10.3's, 10.4's, and 10.5's. Choose a 10.255.255 or a 172.31.255 for the in-between network. When someone wants to do a Web browse, have your Web browser proxy to fw#1, and fw#1 forwards the proxy message for them.com to fw#2, which uses their own DNS to resolve the name. Similarly, their Web browsers proxy to fw#2, which forwards the proxy message for you.com to fw#1, which uses your own DNS to resolve the name. When someone wants to send mail, have your mail server forward all them.com e-mail to fw#1, which will forward it all to fw#2, which will either forward it to a given mail server on their side or use their own DNS to determine the mail server. Similarly, when they want to send you e-mail, their mail server will forward all you.com e-mail to fw#2, which will forward it all to fw#1, which will either forward it to a given mail server on your side or use your own DNS to determine the mail server. Other services can be similarly proxied. -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies. From vnyelurkar at gmail.com Wed Sep 6 00:51:25 2006 From: vnyelurkar at gmail.com (Virendra Yelurkar) Date: Wed, 6 Sep 2006 10:21:25 +0530 Subject: [VPN] Routing and Signaling protocol considerations in IPSec VPN. Message-ID: <517de3280609052151k752015dej33d56160d09bb1f9@mail.gmail.com> Dear members, I am doing deployment study for one of our IPSec VPN product. Am I suppose to study "Routing and Signaling protocol considerations in IPSec VPN" ? If yes, then, is anybody having more information regarding this? Waiting for early response. ----------------------------------------------------------------------- Regards, Virendra Yelurkar, Pune,India. "emotions provoke the desire but ........kills the performance!" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060906/f8c2a92e/attachment.htm From aaronfmd at yahoo.com Mon Sep 18 08:52:05 2006 From: aaronfmd at yahoo.com (Aaron none) Date: Mon, 18 Sep 2006 05:52:05 -0700 (PDT) Subject: [VPN] Force VPN traffic Message-ID: <20060918125206.90462.qmail@web52605.mail.yahoo.com> I am a home user trying to route all of my traffic thru my work proxy. I use IPSEC VPN and connect without any problems to work. While I'm connected, everything works fine and all of my traffic (Not just port 80 or http, it includes pop, games, etc.) goes thru the work proxy. The problem is when my internet connection resets every 15 minutes or so, the VPN drops and a dialogue pops up asking me if I want to reconnect to the VPN. If I'm sitting there, I just reconnect, but if I'm away, all of my traffic goes straight to the internet without going through the proxy. I'm trying to deal with my ISP to get a workaround for the internet disconnecting. In the meantime, what can I do? I want to prevent my computer from using the non VPN IP when I'm away. I'm using Comcast Cable internet, Win XP SP2, and a linksys router, and the Windows built in dialer for connecting to the VPN. Is there a third party VPN client that could redial without the dialogue box, or can I disable the one that the Windows dialer uses? Is there another way to force my computer to not use the non Proxy IP? Thanks for your help. aaron --------------------------------- Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060918/d20328cf/attachment.htm From chris.meidinger at badenIT.de Mon Sep 18 17:39:09 2006 From: chris.meidinger at badenIT.de (Meidinger Chris) Date: Mon, 18 Sep 2006 23:39:09 +0200 Subject: [VPN] Re: Force VPN traffic References: <20060918125206.90462.qmail@web52605.mail.yahoo.com> Message-ID: <763363C6C69C5A4B9735E3907164812A3FD0D3@bit123.badenit.intern> Hi Aaron, what kind of proxy are you using at work? Are you socksifying everything? Or do you mean that you want to route stuff over work, without actually proxying it? Chris -----Original Message----- From: vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com on behalf of Aaron none Sent: Mon 18-Sep-06 14:52 To: vpn at lists.shmoo.com Subject: [VPN] Force VPN traffic I am a home user trying to route all of my traffic thru my work proxy. I use IPSEC VPN and connect without any problems to work. While I'm connected, everything works fine and all of my traffic (Not just port 80 or http, it includes pop, games, etc.) goes thru the work proxy. The problem is when my internet connection resets every 15 minutes or so, the VPN drops and a dialogue pops up asking me if I want to reconnect to the VPN. If I'm sitting there, I just reconnect, but if I'm away, all of my traffic goes straight to the internet without going through the proxy. I'm trying to deal with my ISP to get a workaround for the internet disconnecting. In the meantime, what can I do? I want to prevent my computer from using the non VPN IP when I'm away. I'm using Comcast Cable internet, Win XP SP2, and a linksys router, and the Windows built in dialer for connecting to the VPN. Is there a third party VPN client that could redial without the dialogue box, or can I disable the one that the Windows dialer uses? Is there another way to force my computer to not use the non Proxy IP? Thanks for your help. aaron --------------------------------- Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060918/47c5f160/attachment.htm From mtzcesar at gmail.com Tue Sep 26 14:46:01 2006 From: mtzcesar at gmail.com (Cesar Martinez) Date: Tue, 26 Sep 2006 11:46:01 -0700 Subject: [VPN] concentrator cisco Message-ID: I have this equipment *VPN Concentrator Type:* 3005 *Serial Number:*CAM01371509 *Bootcode Rev:* Cisco Systems, Inc./VPN 3000 Concentrator Series Version 2.5.Rel Jun 21 2000 18:57:52 *Software Rev:* Cisco Systems, Inc./VPN 3000 Concentrator Version 4.0.4.ADec 10 2003 19:32:50 and I need to change the parameters of the group bases but the equipment does not keep the changes to me?. I enter the equipment as administrator? and already tries dropping from rolls all the users and groups? but the continuous problem?. it does not keep changes in the group bases? and on any other created group if it accepts the changes. some idea? , tips? I have a Cisco document of which I want to make the Document ID: 5403 thank you very much -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060926/3659b2ac/attachment.htm From chris.meidinger at badenIT.de Wed Sep 27 04:32:59 2006 From: chris.meidinger at badenIT.de (Meidinger Chris) Date: Wed, 27 Sep 2006 10:32:59 +0200 Subject: [VPN] Re: concentrator cisco Message-ID: <763363C6C69C5A4B9735E3907164812A7CCB27@bit123.badenit.intern> It's broken. Chris > -----Original Message----- > From: vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com > [mailto:vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com > ] On Behalf Of Cesar Martinez > Sent: Tuesday, September 26, 2006 8:46 PM > To: vpn at lists.shmoo.com > Subject: [VPN] concentrator cisco > > I have this equipment > VPN Concentrator Type: 3005 > Serial Number:CAM01371509 > Bootcode Rev: Cisco Systems, Inc./VPN 3000 Concentrator > Series Version 2.5.Rel Jun 21 2000 18:57:52 Software Rev: > Cisco Systems, Inc./VPN 3000 Concentrator Version 4.0.4.A Dec > 10 2003 19:32:50 > > and I need to change the parameters of the group bases but > the equipment does not keep the changes to me.... I enter the > equipment as administrator... and already tries dropping from > rolls all the users and groups... but the continuous problem.... > it does not keep changes in the group bases... and on any other > created group if it accepts the changes. > some idea? , tips? > > > I have a Cisco document of which I want to make the Document ID: 5403 > > thank you very much > > From chris.meidinger at badenIT.de Thu Sep 28 06:01:30 2006 From: chris.meidinger at badenIT.de (Meidinger Chris) Date: Thu, 28 Sep 2006 12:01:30 +0200 Subject: [VPN] Re: concentrator cisco Message-ID: <763363C6C69C5A4B9735E3907164812A7CCBD5@bit123.badenit.intern> I would try exporting your config, switching to your backup concentrator, installing the newest firmware from cisco and reconfiguring. If that doesn't work, vpn3000's make great paperweights. Chris > -----Original Message----- > From: Cesar Martinez [mailto:mtzcesar at gmail.com] > Sent: Wednesday, September 27, 2006 8:59 PM > To: Meidinger Chris > Subject: Re: [VPN] concentrator cisco > > the best serious option to initialize it? > and to return to form? > > thank you very much > > > > 2006/9/27, Meidinger Chris : > > It's broken. > > Chris > > > -----Original Message----- > > From: vpn-bounces+chris.meidinger= badenit.de at lists.shmoo.com > > > [mailto:vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com > > ] On Behalf Of Cesar Martinez > > Sent: Tuesday, September 26, 2006 8:46 PM > > To: vpn at lists.shmoo.com > > Subject: [VPN] concentrator cisco > > > > I have this equipment > > VPN Concentrator Type: 3005 > > Serial Number:CAM01371509 > > Bootcode Rev: Cisco Systems, Inc./VPN 3000 Concentrator > > Series Version 2.5.Rel Jun 21 2000 18:57:52 Software Rev: > > Cisco Systems, Inc./VPN 3000 Concentrator Version 4.0.4.A Dec > > 10 2003 19:32:50 > > > > and I need to change the parameters of the group bases but > > the equipment does not keep the changes to me.... I enter the > > equipment as administrator... and already tries dropping from > > rolls all the users and groups... but the continuous > problem.... > > it does not keep changes in the group bases... and on > any other > > created group if it accepts the changes. > > some idea? , tips? > > > > > > I have a Cisco document of which I want to make the > Document ID: 5403 > > > > thank you very much > > > > > > > >