Re: [leaf-user] ipsec connect to this?
Michael, I've have been running VPN tunnels between my Dachstein machines and Cisco's for some time. It is no problem. Yes you should use tunnel mode. Telling you otherwise only proves the person you are dealing with does not understand what he/she is saying. Here is an explanation I pulled down for you: - - - - - - - - - - - - - - - Also from my reading ("IPSec", ISBN 0-13-011898-2) transport mode is host to host, whereas tunnel mode goes "through" the hosts (simple but it's an important difference). That is in transport mode the data payload is encrypted, AH/ESP is tacked on, etc and the packet is simply sent to the other system. In tunnel mode the entire packet is taken, encrypted, AH/ESP is tacked on, and that is loaded as the data payload and bundled off to another system (think of someone being clubbed on the head, shoved into a large sack, bundled into a van and driven off). In some ways tunnel mode is "more secure" because the attacker can't actually see the IP's/etc it's really for. If you want a good book on IPSec I'd highly recocmend this one, it covers the protocol and theory really well. - -Kurt Seifried - - - - - - - - - - - - - - - - - Best Regards, Roger McClurg -- Date: Fri, 08 Nov 2002 01:16:01 -0600 From: "Michael D. Schleif" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Organization: mds resource To: LEAF <[EMAIL PROTECTED]> Subject: Re: [leaf-user] ipsec connect to this? Correct me if I am wrong; but, isn't transport mode solely for host-to-host vpn's? Everything seems to be OK in auth.log and ipsec look appears OK, when I use tunnel mode -- however, we cannot ping nor telnet nor ftp to the other side. tcpdump shows outgoing requests; but, nothing comes back. Unfortunately, the other side is not cooperative, because he insists that we must use a cisco like he is, and he's determined to prove that to us all ;< When I select type=transport, auth.log process never completes and no ``IPSec SA is established ...'' appears. What do you think? "Michael D. Schleif" wrote: > > Received following set of requirements for one of our DCD's to connect > to a remote non-DCD site: > > ISAKMP Policy: > Encryption: 3DES > Hash: MD5 > Authentication: pre shared keys > Diffie Helman group 1 or 2 > > Use the following key: > IPSec GW Address: 204.235.103.2 > > Destination Network: 204.235.101.128 255.255.255.240 > > IPSec Policy > ESP Transform: 3DES > ESP Authentication Transform: md5-hmac > > IPSec mode is transport. Please be sure to apply NAT *BEFORE* IPSec. > Private Addresses leaked onto the the network will be rejected. > > We have not setup ipsec to non-DCD before. > > Is this doable? > > Is above information adequate? > > Is there anything unusual to this setup? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ipsec connect to this?
Correct me if I am wrong; but, isn't transport mode solely for host-to-host vpn's? Everything seems to be OK in auth.log and ipsec look appears OK, when I use tunnel mode -- however, we cannot ping nor telnet nor ftp to the other side. tcpdump shows outgoing requests; but, nothing comes back. Unfortunately, the other side is not cooperative, because he insists that we must use a cisco like he is, and he's determined to prove that to us all ;< When I select type=transport, auth.log process never completes and no ``IPSec SA is established ...'' appears. What do you think? "Michael D. Schleif" wrote: > > Received following set of requirements for one of our DCD's to connect > to a remote non-DCD site: > > ISAKMP Policy: > Encryption: 3DES > Hash: MD5 > Authentication: pre shared keys > Diffie Helman group 1 or 2 > > Use the following key: > IPSec GW Address: 204.235.103.2 > > Destination Network: 204.235.101.128 255.255.255.240 > > IPSec Policy > ESP Transform: 3DES > ESP Authentication Transform: md5-hmac > > IPSec mode is transport. Please be sure to apply NAT *BEFORE* IPSec. > Private Addresses leaked onto the the network will be rejected. > > We have not setup ipsec to non-DCD before. > > Is this doable? > > Is above information adequate? > > Is there anything unusual to this setup? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] ipsec connect to this?
--On Wednesday, November 06, 2002 3:38 PM -0600 Joey Officer <[EMAIL PROTECTED]> wrote: If you are questioning can IPSec be setup with DCD sure, you can use a floppy, and with my limited experience, it looks like there is enough information here to setup your ipsec.conf file, but I don't see a key...and the destination network should be the private range I assume? It is certainly possible to establish an IPSec tunnel to a non-RFC1918 network. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] ipsec connect to this?
Upon further reading, I think the following would be adequate for implementing this ipsec setup, but I'm not sure about the opposite side. conn office # we'll assume left is DCD left=public.ip.address. leftsubnet=192.168.1.0/24 leftnexthop=pulic.ip.address.1 leftrsasigkey= leftfirewall=yes right=204.235.103.2 rightsubnet=204.235.101.0/24 rightnexthop=204.235.103.1 rightrsasigkey= rightfirewall=no auto=add I think this should work, you might check the right subnet and right hop statements for valid ip and ip range. -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user-admin@;lists.sourceforge.net]On Behalf Of Michael D. Schleif Sent: Wednesday, November 06, 2002 3:30 PM To: LEAF Subject: [leaf-user] ipsec connect to this? Received following set of requirements for one of our DCD's to connect to a remote non-DCD site: ISAKMP Policy: Encryption: 3DES Hash: MD5 Authentication: pre shared keys Diffie Helman group 1 or 2 Use the following key: IPSec GW Address: 204.235.103.2 Destination Network: 204.235.101.128 255.255.255.240 IPSec Policy ESP Transform: 3DES ESP Authentication Transform: md5-hmac IPSec mode is transport. Please be sure to apply NAT *BEFORE* IPSec. Private Addresses leaked onto the the network will be rejected. We have not setup ipsec to non-DCD before. Is this doable? Is above information adequate? Is there anything unusual to this setup? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] ipsec connect to this?
If you are questioning can IPSec be setup with DCD sure, you can use a floppy, and with my limited experience, it looks like there is enough information here to setup your ipsec.conf file, but I don't see a key...and the destination network should be the private range I assume? Joey -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user-admin@;lists.sourceforge.net]On Behalf Of Michael D. Schleif Sent: Wednesday, November 06, 2002 3:30 PM To: LEAF Subject: [leaf-user] ipsec connect to this? Received following set of requirements for one of our DCD's to connect to a remote non-DCD site: ISAKMP Policy: Encryption: 3DES Hash: MD5 Authentication: pre shared keys Diffie Helman group 1 or 2 Use the following key: IPSec GW Address: 204.235.103.2 Destination Network: 204.235.101.128 255.255.255.240 IPSec Policy ESP Transform: 3DES ESP Authentication Transform: md5-hmac IPSec mode is transport. Please be sure to apply NAT *BEFORE* IPSec. Private Addresses leaked onto the the network will be rejected. We have not setup ipsec to non-DCD before. Is this doable? Is above information adequate? Is there anything unusual to this setup? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html