headers
VPN user | 13 Mar 2007 12:11
Picon

Cisco VPN before NAT

Hi,

I have the following problem, and can't seem to find a solution.

I have 2 Cisco routers, A and B with a VPN connection. Both routers  
have a serial interface pointing to external and an ethernet interface  
(Lets call them A and B) pointing to the inside.

Traffic between subnet A and B is NOT NATed and the VPN works fine.

Now, router B has a second ethernet interface (C), to subnet C.

I added this subnet to the IPSEC ACLS on both routers as I want to  
allow subnet A to access subnet C through the VPN.
The tunnel is up and running with no NAT being done.

However, on router B, access from subnet B to C is NATed:

Interface B
ip nat inside
!
Interface C
ip nat outside
!
ip nat inside source route-map NAT interface C overload
!
route-map NAT permit 10
  match ip address 123
!
access-list 123 permit ip SUBNET_B SUBNET_C
(Continue reading)

Permalink | Reply | 0 comments |
headers
G.Anushya | 7 Mar 2007 09:45
Picon
Favicon

(L2TP) username format for network connection.

Hi,

After configuring the network connection for vpn in windows xp, the username accepts any format (includes special symbols, numeric and char). But, the connection is not established for some username formats even the configuration details are correct. Anybody plz help me to find whether the username format is not accepted by windows or not accepted by vpn or any? Wht else the formats can be used?


*********************
Thanks and Regards,
Anushya. G
*********************

Here’s a new way to find what you're looking for - Yahoo! Answers 
_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 0 comments |
headers
Anushya | 7 Mar 2007 06:06

Linux as a L2TP client

Hi,
 
My windows xp is acting as a L2TP server whereas i want to configure a linux as a L2TP client. How to configure? Any tutorials or links please.

____________________________________________________________________________________________________

When you can't fly Try to Run
When you cant't run Try to Walk
When you can't  walk Try to Crawl
But whatever you do Keep moving"
-- Martin Luther

___________________________________________________________________________________________
Regards,
G. Anushya,
Junior Member (QA),
anushya <at> gsecone.com

Gsec1 (A Division of ITAC, UK Limited)
Chennai, India.
Tel : +91 44 4202 2601 to 2605 Ext.333
Fax: +91 44 4202 2606
www.gsec1.com
____________________________________________________________________________________________________

This email is confidential and is intended for the original recipient(s) only. If you have erroneously received his mail, please delete it immediately and notify the sender. Unauthorized copying, disclosure or distribution of the material in this mail is prohibited. Views expressed in this mail are those of the individual sender and do not bind GSec1 (A Division of ITAC UK Limited) or its subsidiary, unless the sender has done so expressly with due authority of GSec1 (A Division of ITAC UK Limited)

____________________________________________________________________________________________________

 

 
_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 0 comments |
headers
tbird | 26 Feb 2007 12:43

Recent list postings

Hi all --

I've been dealing with a family emergency for several days, and have  
just cleared out
hundreds of spam from the moderating queue. It's quite likely that  
I've unintentionally
deleted real messages. Please accept my apologies.

If you've posted any messages to the list in the last week or so, and  
haven't seen it
online, please re-post it. I'll be sure to check the queue later today.

cheers -- tbird
Permalink | Reply | 0 comments |
headers
George Jammal | 23 Jan 2007 17:21
Picon

Internet access through vpn (gateway-to-gateway)

Hello everyone,

I have 2 offices each with its own router (Netgear FVS318v3) and
internet access with a different ISP. I'm trying to get computers in
office1 to access the internet (at least http) through  the router  in
office2. In other words, if a computer in office1 attempts to go to a
website using a browser I want the request to go through the vpn tunnel
to the router in office2 and to use the ISP of router2.

I haven't seen anything in the Netgear documentation that describes this
scenario. I would like to know if I can configure Win2k in office1
and/or the routers to accomplish this (preferably without involving any
computer in office2). Is this even possible? If not, what is the minimum
software or hardware I need to accomplish this?

On their own, the routers are working fine and a vpn tunnel is
established between the 2 routers. I can ping computers in office2 from
a computer in office1 and windows networking is working between the 2
offices (i.e. I can see computers in the other office in 'My Network
Places' and copy files back and forth).

I appreciate and welcome any suggestions even if not specific to the FVS318.

George
Permalink | Reply | 1 comment |
headers
younes aoufi | 15 Jan 2007 17:26
Picon
Favicon

VPN Client warning

Hi all,

I am spirit to deploy a solution of a safety transfer
of the data between a remote station and servers
located in the seat of my company. 

I chose for that the Cisco product: 2 concentrators
3000 (main and backup), and I installed Cisco VPN
Client 4.6 in the remote stations. 

I configured VPN Client to launches in the starting of
the station and to check connectivity with the
principal concentrator each 3 minute, so if there is a
problem in the concentrator it reconnect automatically
with the backup (the backup takes the address private
and public of the main). 

Now if there is a problem in the station itself (for
example the cable network is disconnected),
connectivity with the concentrator will be cut and the
VPN Client will test reconnected each three minute.
After a certain time (15mn practically), the VPN
Client posts the following warning: 

“Warning 201: The necessary VPN sub-system is not
available. You can not connect to the remote VPN
server... ” 

I want to know if there is a way so that this warning
(and others warnings) will not posted on the screen,
and by consequence, if the problem of the station
would be solved the VPN Client will automatically be
able to reconnected with the concentrator.

All suggestion will be the come good. Thank you in
advance.

Regards.

Younes

	

	
		
___________________________________________________________________________ 
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo!
Questions/Réponses 
http://fr.answers.yahoo.com
Permalink | Reply | 2 comments |
headers
Anupam Gaur | 10 Jan 2007 02:12

PIX Through RSA

Dear All

We are using PIX 515E (ver 6.3)
In Checkpoint We have option for desktop security which restricts Outside VPN users to access everything inside the Network

But in PIX can we enable any Autherization for External VPN Users authenticated through RSA


Please Advice
My RSA Vendor has given up

Regards
Anupam
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from your computer. Microland takes all reasonable steps to ensure that its electronic communications are free from viruses. However, given Internet accessibility, the Company cannot accept liability for any virus introduced by this e-mail or any attachment and you are advised to use up-to-date virus checking software.  

_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 0 comments |
headers
Younyim Park | 8 Jan 2007 06:34
Picon

IPsec and SSL VPN

Hi all,
I have a quick question.
Is it possible to implement technically both IPsec and SSL VPN in a same machine?
I mean to use IPsec and SSL VPN at the same time. I didn't ever heard about it though.

Thanks in advance.
Josh

_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 0 comments |
headers
Tina Bird | 28 Dec 2006 22:55

List vacation


Hi all --

I've just returned from my winter holidays, and cleared out huge quantities
of spam from the moderation queue. I tried to check everything with a
vaguely
plausible subject line (using an apparently excessively generous definition
of "plausible"), but it's possible that I deleted some legitimate traffic.

If you've posted something and it has not been distributed, please re-submit
it.

thanks -- tbird
Permalink | Reply | 0 comments |
headers
Todd M. Simons | 13 Dec 2006 02:13

Re: Cisco Router IOS to Symantec Raptor

<I'm a Symantec person>

The negotiation a problem with PIX v5.2 thru v6.3, I'm not sure how that maps to router IOS versions.  One way around this is to set the Symantec side timeouts higher than the Cisco side, and have a persistent PING going from a host behind the PIX (yes, I spent way too much time on this)

You may also try defining a class C space on the Symantec side, then restrict tunnel access to the 3 specific hosts using either the proxy services with rules or with filters on the VPN policy.  I have seen Cisco choke with multiple entities on the Symantec side as well.

Check out:
        http://groups.yahoo.com/symantecfirewalls

It has some good content, unfortunately it doesn't have all the old firetower (aka [rapt]) content.  You can try googling:  [rapt] +cisco +vpn

~Todd

_____________________________________________
From:   vpn-bounces+tsimons=delphi-tech.com <at> lists.shmoo.com [mailto:vpn-bounces+tsimons=delphi-tech.com <at> lists.shmoo.com]  On Behalf Of Nate Goddard

Sent:   Tuesday, December 12, 2006 5:58 PM
To:     VPN Lists Schmoo
Subject:        [VPN] Cisco Router IOS to Symantec Raptor

Hello,
        I have been unable to reach the list site to look for any archives on this question, so I’ll through it out there.  I’m trying to setup a IPSec VPN tunnel from a Cisco Router (on which I have several hundred successful site-to-site tunnels) running IOS 12.4(7) to a Symantec Raptor.  Unfortunately, I can’t really provide much detail about the Symantec because it’s a customer/vendor’s device.  At one point the tunnel did work, but started failing, and now it fails when something behind the Symantec tries to initiate a tunnel, but not when something behind the Router initiates the tunnel.

        To lay out some details (which have been obfuscated to protect identity and security):

Cisco side:
Inside IP: 10.1.1.25 (local subnet has routing to encr dom)
Outside IP: 1.2.3.4
Preshared key
P1: 3DES MD5 DH2
P2: 3DES MD5 no-pfs
Local encryption domain: 7.8.9.0/24 (public space)
Sample ACL for crypto map:
        permit ip 7.8.9.0 0.0.0.255 host 172.16.10.56
permit ip 7.8.9.0 0.0.0.255 host 172.16.10.113
permit ip 7.8.9.0 0.0.0.255 host 172.16.10.78


Symantec Raptor side:
Inside IP: 172.16.10.254
Outside IP: 21.22.23.24
Preshared key
P1: 3DES MD5 DH2
P2: 3DES MD5 no-pfs
Local encryption domain: group containing 172.16.10.56, 172.16.10.113, 172.16.10.78
Remote encryption domain: 7.8.9.0 255.255.255.0


        It use to work fine this way, with a single local group for the hosts on the Raptor side, and a subnet on the Cisco side, and each host had its own IPSec SA (tunnel) to the subnet on the Cisco side.  Then the Raptor changed behavior and started to try to use any existing SA for any 1 of the 3 hosts to encrypt traffic for the other 2 when a system behind the Raptor was the initiator of traffic and negotiations. If the Cisco side initiates to all 3 separately, creating the SAs itself, then the tunnel works bi-directionally as it should, until the P2 SAs expire.  At the moment, there is no way to identify what firmware change, or config change on the Raptor caused this, so rolling things back is not a practical option (unless someone knows exactly what the issue is).

        We tried disabling that group and tunnel (perhaps deleting it would be more thorough and a better test ?) and creating 3 totally separate tunnels on the Raptor, using the same key, etc as the 1 defined S-2-S tunnel on the Cisco, but system behind the Raptor still can not initiate a tunnel.  As I said, perhaps deleting the old one (not just disabling it) is necessary.

        I ran into the same issue with another customer/vendor using a Raptor, where they were using a group, and switching them to individual tunnels resolved the bi-directional initiation issues (it introduced some minor problems that I’m ignoring here).


        Anyone have any experience with a Cisco to Raptor tunnel with a subnet and hosts (or anything like this) that could shed some light on this?


Nate

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006 4:32 PM
  << File: ATT3985625.txt >>


## Scanned by Delphi Technology, Inc. ##
_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 0 comments |
headers
Nate Goddard | 12 Dec 2006 23:57

Cisco Router IOS to Symantec Raptor

Hello,
	I have been unable to reach the list site to look for any archives
on this question, so I’ll through it out there.  I’m trying to setup a IPSec
VPN tunnel from a Cisco Router (on which I have several hundred successful
site-to-site tunnels) running IOS 12.4(7) to a Symantec Raptor.
Unfortunately, I can’t really provide much detail about the Symantec because
it’s a customer/vendor’s device.  At one point the tunnel did work, but
started failing, and now it fails when something behind the Symantec tries
to initiate a tunnel, but not when something behind the Router initiates the
tunnel.
	To lay out some details (which have been obfuscated to protect
identity and security):

Cisco side:
Inside IP: 10.1.1.25 (local subnet has routing to encr dom)
Outside IP: 1.2.3.4
Preshared key
P1: 3DES MD5 DH2
P2: 3DES MD5 no-pfs
Local encryption domain: 7.8.9.0/24 (public space)
Sample ACL for crypto map:
	permit ip 7.8.9.0 0.0.0.255 host 172.16.10.56
permit ip 7.8.9.0 0.0.0.255 host 172.16.10.113
permit ip 7.8.9.0 0.0.0.255 host 172.16.10.78

Symantec Raptor side:
Inside IP: 172.16.10.254
Outside IP: 21.22.23.24
Preshared key
P1: 3DES MD5 DH2
P2: 3DES MD5 no-pfs
Local encryption domain: group containing 172.16.10.56, 172.16.10.113,
172.16.10.78
Remote encryption domain: 7.8.9.0 255.255.255.0

	It use to work fine this way, with a single local group for the
hosts on the Raptor side, and a subnet on the Cisco side, and each host had
its own IPSec SA (tunnel) to the subnet on the Cisco side.  Then the Raptor
changed behavior and started to try to use any existing SA for any 1 of the
3 hosts to encrypt traffic for the other 2 when a system behind the Raptor
was the initiator of traffic and negotiations. If the Cisco side initiates
to all 3 separately, creating the SAs itself, then the tunnel works
bi-directionally as it should, until the P2 SAs expire.  At the moment,
there is no way to identify what firmware change, or config change on the
Raptor caused this, so rolling things back is not a practical option (unless
someone knows exactly what the issue is).
	We tried disabling that group and tunnel (perhaps deleting it would
be more thorough and a better test ?) and creating 3 totally separate
tunnels on the Raptor, using the same key, etc as the 1 defined S-2-S tunnel
on the Cisco, but system behind the Raptor still can not initiate a tunnel.
As I said, perhaps deleting the old one (not just disabling it) is
necessary.
	I ran into the same issue with another customer/vendor using a
Raptor, where they were using a group, and switching them to individual
tunnels resolved the bi-directional initiation issues (it introduced some
minor problems that I’m ignoring here).

	Anyone have any experience with a Cisco to Raptor tunnel with a
subnet and hosts (or anything like this) that could shed some light on this?

Nate

--

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006
4:32 PM
Attachment (winmail.dat): application/ms-tnef, 5998 bytes
_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 0 comments |

Gmane