headers
zoe | 4 Sep 2006 17:02
Picon
Favicon

Re: fw1 site to site vpn subnet conflict

I can't change the subnets at either end and I can't change the IP's on any
of the servers. When I access hosts on their subnet I can use the real
addresses of their hosts because I'm not using the subnet that these hosts
are on in my network.

Example scenario

- My network = 192.168.100.0. I apply a rule that NAT's this behind
192.168.98.0 for connections to client
- Hosts on client network that I need to access are in the 192.168.99.0 I'm
not using this range at all so hosts on my network can use the real
addresses to get to servers on client network
- Client needs to get to some of my servers. His clients can't use the real
addresses of my servers because they will be routed off to the 192.168.100
subnet on their network.
- To overcome this I tried setting up a static nat rule like the one below
for one of the hosts that they are trying to access. 
E.g  original packet = src=client_encryption_domain dest=192.168.98.10 
     translated packet = destination=192.168.100.10
     original packet = src=192.168.100.10 dest=client_encryption_domain 
     translated packet = source=192.168.100.10

I initially got errors (dropped packet forwarded between two interfaces)
until I set up a static route on the firewall (e.g 192.168.98.10
255.255.255.255 gw 192.168.100.10)
After this I did see the encypted traffic coming through when they tried to
access the host using the nat address (192.168.98.10) but they didn't get
any response from the machine and I couldn't see any return traffic. 

Cheers
(Continue reading)

Permalink | Reply | 1 comment |
headers
Travis Watson | 4 Sep 2006 20:37

Re: fw1 site to site vpn subnet conflict

Zoe,

I think you would be best off with a pool NAT.  If both sides are 
192.168.x, you can make a network object for something in 10.x or 
172.16.x, or whatever, and have the route for that netblock to point to 
the internal core router, which will take care of the rest of the 
routing logic from there.  It's been years since I've worked with a 
Chokepoint, but I believe that you put the netblock in the encrypt rule 
itself (and make sure it is part of the encryption domain and 
anti-spoofing group so you don't get anti-spoofing errors).  This way 
you don't have to worry about making NAT rules and it gives you room for 
growth if/when this situation comes up again.  You *may* have to play 
with the SA's on both sides, but I don't think so (CP has their own 
proprietary way of dealing with SA's, but it's pretty close to everyone 
else).  Pity you don't have Netscreens--they have a much more elegant 
solution to the problem you're facing.  But CP can handle it, I believe.

--Travis

zoe wrote:

>I can't change the subnets at either end and I can't change the IP's on any
>of the servers. When I access hosts on their subnet I can use the real
>addresses of their hosts because I'm not using the subnet that these hosts
>are on in my network.
>
>
>Example scenario
>
>- My network = 192.168.100.0. I apply a rule that NAT's this behind
(Continue reading)

Permalink | Reply | 0 comments |
headers
Joseph S D Yao | 5 Sep 2006 18:17

Re: fw1 site to site vpn subnet conflict

If you dual-proxy with two firewalls, you can use DNS internally to each
network but not resolve each other's IP addresses.

you - fw#1 ----------- fw#2 - them
	IP address network
	unused on either side

To elaborate:

Say, you are using all 10.0's, 10.1's, 10.2's, and 10.3's, and they are
using 10.3's, 10.4's, and 10.5's.  Choose a 10.255.255 or a 172.31.255
for the in-between network.

When someone wants to do a Web browse, have your Web browser proxy to
fw#1, and fw#1 forwards the proxy message for them.com to fw#2, which
uses their own DNS to resolve the name.  Similarly, their Web browsers
proxy to fw#2, which forwards the proxy message for you.com to fw#1,
which uses your own DNS to resolve the name.

When someone wants to send mail, have your mail server forward all
them.com e-mail to fw#1, which will forward it all to fw#2, which will
either forward it to a given mail server on their side or use their own
DNS to determine the mail server.  Similarly, when they want to send you
e-mail, their mail server will forward all you.com e-mail to fw#2, which
will forward it all to fw#1, which will either forward it to a given
mail server on your side or use your own DNS to determine the mail
server.

Other services can be similarly proxied.
(Continue reading)

Permalink | Reply | 3 comments |
headers
Virendra Yelurkar | 6 Sep 2006 06:51
Picon

Routing and Signaling protocol considerations in IPSec VPN.

Dear members,

 I am doing deployment study for one of our IPSec VPN product.
 Am I suppose to study "Routing and Signaling protocol considerations in IPSec VPN" ?
 If yes, then, is anybody having more information regarding this?
 Waiting for early response.

 
-----------------------------------------------------------------------
Regards,

Virendra Yelurkar,
Pune,India.
"emotions provoke the desire but ........kills the performance!"

_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 0 comments |
headers
Aaron none | 18 Sep 2006 14:52
Picon
Favicon

Force VPN traffic

I am a home user trying to route all of my traffic thru my work proxy.
I use IPSEC VPN and connect without any problems to work. While I'm
connected, everything works fine and all of my traffic (Not just port
80 or http, it includes pop, games, etc.) goes thru the work proxy.
The problem is when my internet connection resets every 15 minutes or
so, the VPN drops and a dialogue pops up asking me if I want to
reconnect to the VPN. If I'm sitting there, I just reconnect, but if
I'm away, all of my traffic goes straight to the internet without going
through the proxy. I'm trying to deal with my ISP to get a workaround
for the internet disconnecting. In the meantime, what can I do? I
want to prevent my computer from using the non VPN IP when I'm away.
I'm using Comcast Cable internet, Win XP SP2, and a linksys router, and
the Windows built in dialer for connecting to the VPN. Is there a
third party VPN client that could redial without the dialogue box, or
can I disable the one that the Windows dialer uses? Is there another
way to force my computer to not use the non Proxy IP? Thanks for your
help.

aaron

Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail. 
_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 501 comments |
headers
Meidinger Chris | 18 Sep 2006 23:39
Picon

Re: Force VPN traffic


Hi Aaron,

what kind of proxy are you using at work? Are you socksifying everything?

Or do you mean that you want to route stuff over work, without actually proxying it?

Chris

-----Original Message-----
From: vpn-bounces+chris.meidinger=badenit.de <at> lists.shmoo.com on behalf of Aaron none
Sent: Mon 18-Sep-06 14:52
To: vpn <at> lists.shmoo.com
Subject: [VPN] Force VPN traffic

 I am a home user trying to route all of my traffic thru my work proxy.
 I use IPSEC VPN and connect without any problems to work. While I'm
 connected, everything works fine and all of my traffic (Not just port
 80 or http, it includes pop, games, etc.) goes thru the work proxy.
 The problem is when my internet connection resets every 15 minutes or
 so, the VPN drops and a dialogue pops up asking me if I want to
 reconnect to the VPN. If I'm sitting there, I just reconnect, but if
 I'm away, all of my traffic goes straight to the internet without going
 through the proxy. I'm trying to deal with my ISP to get a workaround
 for the internet disconnecting. In the meantime, what can I do? I
 want to prevent my computer from using the non VPN IP when I'm away.
 I'm using Comcast Cable internet, Win XP SP2, and a linksys router, and
 the Windows built in dialer for connecting to the VPN. Is there a
 third party VPN client that could redial without the dialogue box, or
 can I disable the one that the Windows dialer uses? Is there another
 way to force my computer to not use the non Proxy IP? Thanks for your
 help.

 aaron

               
---------------------------------
Do you Yahoo!?
 Everyone is raving about the  all-new Yahoo! Mail.

_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 501 comments |
headers
Cesar Martinez | 26 Sep 2006 20:46
Picon

concentrator cisco

I have this equipment
VPN Concentrator Type: 3005
Serial Number:CAM01371509
Bootcode Rev: Cisco Systems, Inc./VPN 3000 Concentrator Series Version 2.5.Rel Jun 21 2000 18:57:52
Software Rev: Cisco Systems, Inc./VPN 3000 Concentrator Version 4.0.4.A Dec 10 2003 19:32:50

and I need to change the parameters of the group bases but the equipment does not keep the changes to me….  I enter the equipment as administrator… and already tries dropping from rolls all the users and groups… but the continuous problem…. it does not keep changes in the group bases… and on any other created group if it accepts the changes. 
some idea? ,  tips?


I have a Cisco document of which I want to make the Document ID: 5403

 thank you very much 

_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 0 comments |
headers
Meidinger Chris | 27 Sep 2006 10:32
Picon

Re: concentrator cisco

It's broken.

Chris 

> -----Original Message-----
> From: vpn-bounces+chris.meidinger=badenit.de <at> lists.shmoo.com 
> [mailto:vpn-bounces+chris.meidinger=badenit.de <at> lists.shmoo.com
> ] On Behalf Of Cesar Martinez
> Sent: Tuesday, September 26, 2006 8:46 PM
> To: vpn <at> lists.shmoo.com
> Subject: [VPN] concentrator cisco
> 
> I have this equipment
> VPN Concentrator Type: 3005
> Serial Number:CAM01371509
> Bootcode Rev: Cisco Systems, Inc./VPN 3000 Concentrator 
> Series Version 2.5.Rel Jun 21 2000 18:57:52 Software Rev: 
> Cisco Systems, Inc./VPN 3000 Concentrator Version 4.0.4.A Dec 
> 10 2003 19:32:50
> 
> and I need to change the parameters of the group bases but 
> the equipment does not keep the changes to me....  I enter the 
> equipment as administrator... and already tries dropping from 
> rolls all the users and groups... but the continuous problem.... 
> it does not keep changes in the group bases... and on any other 
> created group if it accepts the changes.  
> some idea? ,  tips? 
> 
> 
> I have a Cisco document of which I want to make the Document ID: 5403 
> 
>  thank you very much 
> 
>
Permalink | Reply | 0 comments |
headers
Meidinger Chris | 28 Sep 2006 12:01
Picon

Re: concentrator cisco

I would try exporting your config, switching to your backup
concentrator, installing the newest firmware from cisco and
reconfiguring.

If that doesn't work, vpn3000's make great paperweights.

Chris 

> -----Original Message-----
> From: Cesar Martinez [mailto:mtzcesar <at> gmail.com] 
> Sent: Wednesday, September 27, 2006 8:59 PM
> To: Meidinger Chris
> Subject: Re: [VPN] concentrator cisco
> 
> the best serious option to initialize it?  
>  and to return to form? 
> 
> thank you very much 
> 
> 
> 
> 2006/9/27, Meidinger Chris <chris.meidinger <at> badenit.de >:
> 
> 	It's broken.
> 	
> 	Chris
> 	
> 	> -----Original Message-----
> 	> From: vpn-bounces+chris.meidinger= badenit.de <at> lists.shmoo.com
> 	> 
> [mailto:vpn-bounces+chris.meidinger=badenit.de <at> lists.shmoo.com 
> 	> ] On Behalf Of Cesar Martinez
> 	> Sent: Tuesday, September 26, 2006 8:46 PM
> 	> To: vpn <at> lists.shmoo.com
> 	> Subject: [VPN] concentrator cisco
> 	>
> 	> I have this equipment 
> 	> VPN Concentrator Type: 3005
> 	> Serial Number:CAM01371509
> 	> Bootcode Rev: Cisco Systems, Inc./VPN 3000 Concentrator
> 	> Series Version 2.5.Rel Jun 21 2000 18:57:52 Software Rev:
> 	> Cisco Systems, Inc./VPN 3000 Concentrator Version 4.0.4.A Dec
> 	> 10 2003 19:32:50
> 	>
> 	> and I need to change the parameters of the group bases but
> 	> the equipment does not keep the changes to me....  I enter the
> 	> equipment as administrator... and already tries dropping from 
> 	> rolls all the users and groups... but the continuous 
> problem....
> 	> it does not keep changes in the group bases... and on 
> any other
> 	> created group if it accepts the changes.
> 	> some idea? ,  tips? 
> 	>
> 	>
> 	> I have a Cisco document of which I want to make the 
> Document ID: 5403
> 	>
> 	>  thank you very much
> 	>
> 	>
> 	
> 
> 
>
Permalink | Reply | 1 comment |

Gmane