headers
Frank Allan | 10 Sep 2004 12:32
Picon

RSA certificates and Routers

I have a Netcomm NB5540 router which has the capability to act as a 
L2TP VPN endpoint.
I need to make a VPN connection to my ISP, and they have provided an 
RSA certificate for a PC (Windows XP/2000)

Is there any way I can use this certificate to make the connection with 
the router ?

I do not have, and do not want to have, a Windows box. I run Solaris 
and MacOS X at home and would like them both to connect to the ISP via 
the router.

The ISP does not have any experience with this sort of thing - it is a 
new setup, using a wireless link via a Proxim Tsunami modem to the POP, 
then creating the VPN link to access the internet. They have a 
preconfigured package with Windows certiticates and instructions and no 
idea how to do it with other clients.

I do not have a choice of ISP due to my locality - the only other 
option would be modem dialup!

If it is not possible to use the RSA certificate with the router, is it 
possible to use the certificate with either Solaris or MacOS X.
The Mac has a L2TP client but no easy way I have found to import or use 
certificates.
I have found some info about Apple using KAME, but no details on how to 
use this to import the certificate.

I found this list address via a link from the ISP - I am not subscribed 
to the mailing list so please reply direct to me.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Nereu Gustavo | 10 Sep 2004 19:26
Picon
Favicon

Contivity x Cisco

Hi Dears,

    Has anyone interoperated a Contivity 600 with a
Cisco 7200 router?
    Im doing it, but dont works.
    Some tips??

best thanks!

Nereu

	
	
		
_______________________________________________________
Yahoo! Messenger 6.0 - jogos, emoticons sonoros e muita diversão. Instale agora!
http://br.download.yahoo.com/messenger/
Permalink | Reply | 1 comment |
headers
Siddhartha Jain | 10 Sep 2004 20:43
Picon
Favicon

Re: Contivity x Cisco

 --- Nereu Gustavo <ngrcamara <at> yahoo.com.br> wrote: 
> Hi Dears,
> 
>     Has anyone interoperated a Contivity 600 with a
> Cisco 7200 router?
>     Im doing it, but dont works.
>     Some tips??

Debugging and logs. Check the logs on the Cisco. Run
something like "debug cypto ipsec" on the Cisco router
and monitor the negotiations between the two boxes.
That will tell you where is it failing.

HTH,

Siddhartha

	
	
		
___________________________________________________________ALL-NEW Yahoo! Messenger - all new
features - even more fun!  http://uk.messenger.yahoo.com
Permalink | Reply | 0 comments |
headers
Marc Stavale | 10 Sep 2004 23:45

Pix 515E VPN tunnel Via Cisco Client 4.0 thru a Nattted home DSL router

Scenario:  I have a Pix 515E configured to access a VPN tunnel.  If I dial into the internet thru AT&T and get an IP of 206.x.x.x (internet routable), address and try to negotiate a tunnel using the Cisco VPN Client I can do so no problems.  However, if I try to do one from my ‘house’ which is behind my DSL modem and thus has a natted address  (IE: my modem outside is routable but my inside address on my computer is a 192.168.0.x address’s), my tunnel fails.  Here is a copy of my Pix config and I do have the ‘isakmp nat-traversal’ command in it but it still fails.  I havn’t configured my inside conduits yet as just want to get the tunnel working first.  Any ideas?

 

Building configuration...

: Saved

:

PIX Version 6.3(3)133

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password fOtLfvYl90/VEkOk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname denvervpn

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 102 permit ip 192.168.0.0 255.255.252.0 192.168.113.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 12.45.111.234 255.255.255.248

ip address inside 192.168.8.17 255.255.255.248

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.113.1-192.168.113.254

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 102

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 12.45.111.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

crypto map map1 10 ipsec-isakmp dynamic map2

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local vpnpool outside

isakmp nat-traversal 10

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup base1 address-pool vpnpool

vpngroup base1 dns-server 192.168.0.125

vpngroup base1 wins-server 192.168.0.126

vpngroup base1 default-domain amc.local

vpngroup base1 idle-time 1800

vpngroup base1 password ********

vpngroup base2 address-pool vpnpool

vpngroup base2 dns-server 192.168.0.125

vpngroup base2 wins-server 192.168.0.126

vpngroup base2 default-domain amc.local

vpngroup base2 split-tunnel 102

vpngroup base2 idle-time 1800

vpngroup base2 password ********

telnet timeout 5

ssh timeout 60

console timeout 0

terminal width 80

Cryptochecksum:5ddd4c6f87bb9677e21fdff9262b50ac

: end

[OK]

 

 

Marc Stavale

Network Engineer

Airmethods

7211 S. Peoria St.

Englewood Co. 80112

303-792-7491

 

_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 1 comment |
headers
stu | 12 Sep 2004 18:06

Which VPN solution is best Practice

Hello All

With all the options out there for linux, IPSec, PPTP, SSL Tunnel etc
Which is best "safest" free vpn to use.

I want to be able to link mulitple satelite offices to a head office, where
they will connect to a central server for services.

Each office will have ADSL connecting to the internet and Dynamic IP
addresses, although I can use dynamic update client to make sure the domain
name for each site gets updated as the ip changes. 
So that is probably a consideration for the choice, needs to support domain
name and not ip address.

Thanks
Stu

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.747 / Virus Database: 499 - Release Date: 9/1/2004
Permalink | Reply | 3 comments |
headers
Bill Yazji | 12 Sep 2004 20:25

RE: Which VPN solution is best Practice

Your question is quite loaded....

There is no "one answer" or a solution that fits all cases.....

IPSec is probably the safest VPN method in my opinion...

~Bill 

-----Original Message-----
From: vpn-bounces+byazji=psualum.com <at> lists.shmoo.com
[mailto:vpn-bounces+byazji=psualum.com <at> lists.shmoo.com] On Behalf Of stu
Sent: Sunday, September 12, 2004 11:07 AM
To: vpn <at> lists.shmoo.com
Subject: [VPN] Which VPN solution is best Practice

Hello All

With all the options out there for linux, IPSec, PPTP, SSL Tunnel etc Which
is best "safest" free vpn to use.

I want to be able to link mulitple satelite offices to a head office, where
they will connect to a central server for services.

Each office will have ADSL connecting to the internet and Dynamic IP
addresses, although I can use dynamic update client to make sure the domain
name for each site gets updated as the ip changes. 
So that is probably a consideration for the choice, needs to support domain
name and not ip address.

Thanks
Stu

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.747 / Virus Database: 499 - Release Date: 9/1/2004

_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 1 comment |
headers
Russell Howe | 12 Sep 2004 23:35
Picon

Re: Which VPN solution is best Practice

On Sun, Sep 12, 2004 at 01:25:07PM -0500, Bill Yazji wrote:
> Your question is quite loaded....
> 
> There is no "one answer" or a solution that fits all cases.....
> 
> IPSec is probably the safest VPN method in my opinion...

I'd have to say that from your description, IPsec sounds pretty
appropriate, too.

As long as the sites don't need to talk to each other... then IPsec
becomes complicated (although there are ways around that :)

> -----Original Message-----
> From: vpn-bounces+byazji=psualum.com <at> lists.shmoo.com
> [mailto:vpn-bounces+byazji=psualum.com <at> lists.shmoo.com] On Behalf Of stu
> Sent: Sunday, September 12, 2004 11:07 AM
> To: vpn <at> lists.shmoo.com
> Subject: [VPN] Which VPN solution is best Practice
> 
> With all the options out there for linux, IPSec, PPTP, SSL Tunnel etc Which
> is best "safest" free vpn to use.
> 
> I want to be able to link mulitple satelite offices to a head office, where
> they will connect to a central server for services.
> 
> Each office will have ADSL connecting to the internet and Dynamic IP
> addresses, although I can use dynamic update client to make sure the domain
> name for each site gets updated as the ip changes. 
> So that is probably a consideration for the choice, needs to support domain
> name and not ip address.

Not necessarily.

If you were using IPsec, you could say "allow connections from any IP
address" on the head office box, and then make the satellite offices
initiate the IPsec session.

Only problem there is when (if?) your IPsec implementation becomes
remotely exploitable, it's listening on the public internet for
connections from anywhere (although I guess you could constrain it to a
set of netblocks, related to the ISP(s?) that the branches use).

One of the *S/WAN forks (OpenS/WAN might be worth a try) should be able
to handle this situation pretty well.

--

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe <at> siksai.co.uk | when you can be the spanner in the works?
Permalink | Reply | 0 comments |
headers
Paolo Alexis Falcone | 13 Sep 2004 07:16
Picon

Re: Which VPN solution is best Practice


Quoting stu <stu <at> gateway10.homeip.net>:

> Hello All
> 
> With all the options out there for linux, IPSec, PPTP, SSL Tunnel
> etc
> Which is best "safest" free vpn to use.
> 
> I want to be able to link mulitple satelite offices to a head office,
> where
> they will connect to a central server for services.
> 
> Each office will have ADSL connecting to the internet and Dynamic IP
> addresses, although I can use dynamic update client to make sure the
> domain
> name for each site gets updated as the ip changes. 
> So that is probably a consideration for the choice, needs to support
> domain
> name and not ip address.

A good practice would be employing a standards-compliant solution such
as IPSec for your VPN. Given that your nodes do have proper support for
IPSec then it can be said that these nodes can be interconnected (in
theory its like that, in practice... well configuring is sometimes a
pain).

--

-- 
  -->paolo

Paolo Alexis Falcone
pfalcone <at> free.net.ph
fallenlord <at> openoffice.org

_____________________________
Philippine Free Network Group
free.net.ph
Permalink | Reply | 0 comments |
headers
Jean-Francois Dive | 13 Sep 2004 09:01

Re: Ipsec stalling

you better be sure this is simply not your internet line which is
bursty. From what you're saying, it is possible. What i mean, try to get
some timing measurement between the site, say, a day long, all of this
outside any ipsec tunnel, then see if it correlate with the hickups. 
(to do so, a script / rrdtool or cricket or nagios or you name it).
If it does hicks, your ISP is the problem, otherwise, you know you have an
ipsec/routing/ressource/whatever on your obsd box.

J.

On Mon, Oct 18, 2004 at 06:53:58AM -0600, Bob DeBolt wrote:
> OpenBSD 3.4 Generic
> 
> Greets
> 
> I have a scenario that is weird to say the least.
> 
> I have numerous IPsec connected networks running
> and they run very well indeed. I do have however
> 1 particular network that started "stalling" every
> 11 - 12 minutes. It doesn't die, it simply seems to 
> stall out and then carry on. When working on the 
> system it seems to pulse.( quite annoying actually )
> 
> It doesn't matter the time of day or night.
> 
> With the exception of IP and password, all the networks
> I run are identical in setup, and every other one is fine.
> 
> It is inside the tunnel that this primarily occurs and normally 
> on one particular end. It does however show itself in identical 
> fashion on the other tunneled end although less frequently. Even 
> less frequently the pattern shows itself on the public IP side, 
> When both ends of the tunnel are on the 11 minute stall cycle 
> they do NOT always happen at the same time, they can be approx. 
> 1 - 2 minutes apart.
> 
> The stall lasts for very close to 30 seconds and then the network 
> continues fine. As mentioned, this pattern repeats itself.
> 
> I have changed the Check-interval incrementally from 600 down 
> to 3 seconds with no effect.
> 
> It seems to me that this is a service provider issue, unless 
> there are some additional timings that I can change but am unaware of.
> 
> Anyone seen something like this, or have any setting recommendations?
> 
> Sincerely
> 
> Bob DeBolt
> 
> _______________________________________________
> VPN mailing list
> VPN <at> lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

--

-- 
--

-> Jean-Francois Dive
--> jef <at> linuxbe.org

  I think that God in creating Man somewhat overestimated his ability.
    -- Oscar Wilde
Permalink | Reply | 1 comment |
headers
Hart, Kevin | 13 Sep 2004 16:27

RE: Pix 515E VPN tunnel Via Cisco Client 4.0 thru a Nattted home DSL router

If I understand this correct...the VPN client behind a  PAT device cannot
connect to the PIX 515  firewall.
Isakmp NAT traversal on the PIX will allow multiple clients behind a PAT
device  to connect, but is not related to your problem.

It would seem that you need to enable IPSEC passthrough on your home network
device. Do you have a router 
behind the DSL modem. If not, is there any way to enable this on the DSL
modem. The other possibility is 
that your ISP is blocking IPSEC. 

Are you logging to Syslog on the PIX? This will give you good information as
to what is happening on that end.

Kevin

 
 -----Original Message-----
From: Marc Stavale [mailto:MStavale <at> airmethods.com]
Sent: Friday, September 10, 2004 5:46 PM
To: vpn <at> lists.shmoo.com
Subject: [VPN] Pix 515E VPN tunnel Via Cisco Client 4.0 thru a Nattted home
DSL router

Scenario:  I have a Pix 515E configured to access a VPN tunnel.  If I dial
into the internet thru AT&T and get an IP of 206.x.x.x (internet routable),
address and try to negotiate a tunnel using the Cisco VPN Client I can do so
no problems.  However, if I try to do one from my 'house' which is behind my
DSL modem and thus has a natted address  (IE: my modem outside is routable
but my inside address on my computer is a 192.168.0.x address's), my tunnel
fails.  Here is a copy of my Pix config and I do have the 'isakmp
nat-traversal' command in it but it still fails.  I havn't configured my
inside conduits yet as just want to get the tunnel working first.  Any
ideas?

Building configuration...

: Saved

:

PIX Version 6.3(3)133

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password fOtLfvYl90/VEkOk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname denvervpn

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 102 permit ip 192.168.0.0 255.255.252.0 192.168.113.0
255.255.255.0 

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 12.45.111.234 255.255.255.248

ip address inside 192.168.8.17 255.255.255.248

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.113.1-192.168.113.254

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 102

conduit permit icmp any any 

route outside 0.0.0.0 0.0.0.0 12.45.111.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server RADIUS protocol radius 

aaa-server LOCAL protocol local 

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac 

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

crypto map map1 10 ipsec-isakmp dynamic map2

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local vpnpool outside

isakmp nat-traversal 10

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup base1 address-pool vpnpool

vpngroup base1 dns-server 192.168.0.125

vpngroup base1 wins-server 192.168.0.126

vpngroup base1 default-domain amc.local

vpngroup base1 idle-time 1800

vpngroup base1 password ********

vpngroup base2 address-pool vpnpool

vpngroup base2 dns-server 192.168.0.125

vpngroup base2 wins-server 192.168.0.126

vpngroup base2 default-domain amc.local

vpngroup base2 split-tunnel 102

vpngroup base2 idle-time 1800

vpngroup base2 password ********

telnet timeout 5

ssh timeout 60

console timeout 0

terminal width 80

Cryptochecksum:5ddd4c6f87bb9677e21fdff9262b50ac

: end

[OK]

Marc Stavale

Network Engineer

Airmethods

7211 S. Peoria St.

Englewood Co. 80112

303-792-7491
Permalink | Reply | 0 comments |

Gmane