Craig,
UDP port 500 is NOT it.
Viz: (Microsoft KB article Q150543 WinNT, Terminal Server & Exchange
Service use TCP/IP ports)
PPTP TCP:1723 IP Protocol:47
(Also see "Troubleshooting PPTP connectivity issues, KB article Q162847)
Does anyone know if IP Protocol 47 is enabled by default? I still do
not seem to be able to get thru.
Jim
Craig Smith wrote:
> Hi Jim.
>
> Indeed, you are missing a small point, and I only point it out as I have
> been researching on this very topic, as I support various VPN and RAS
> clients at work.
>
> For VPNing, there are two protocols, PPTP, and IPSec. PPTP works through
> most firewalls with little or no modification (Opening port UDP port 500
> usually does the trick). However, the IPSec protocol which Nortel
> equipment and many others use does not work without problems. To quote
> from Linux VPN Masquerade HOWTO: (Large chunks of quote, sorry to those
> this doesn't apply to.)
>
> 2.10 Why patch the Linux kernel?
>
> The largest problem in masquerading VPN traffic is that the stock Linux
> IP masquerade has no special awareness of IP protocols other than TCP,
> UDP and ICMP.
>
> All IP traffic may be forwarded and filtered by IP address, but
> masquerading IP protocols other than TCP, UDP and ICMP requires
> modifying the kernel.
>
> The PPTP control channel is plain TCP and requires no special setup
> beyond letting it through the firewall and masquerading it.
>
> Masquerading the IPsec and PPTP data channels requires a modification
> that adds support for the ESP and GRE protocols to the masquerading
> code, and masquerading the ISAKMP key exchange protocol requires a
> modification that prevents masquerade from altering the UDP source port
> number and adds tracking of the ISAKMP cookie values instead of the port
> number.
>
> 2.2 What is IPsec?
>
> IPsec is a set of standard protocols for implementing secure
> communications and encryption key exchange between computers. It can be
> used to implement a VPN.
>
> An IPsec VPN generally consists of two communications channels between
> the endpoint hosts: a key-exchange channel over which authentication and
> encryption key information is passed, and one or more data channels over
> which private network traffic is carried.
>
> The key-exchange channel is a standard UDP connection to and from port
> 500. The data channels carrying the traffic between the client and
> server use IP protocol number 50 (ESP).
>
> More information is available in F-Secure's IPsec FAQ at
> http://www.Europe.F-Secure.com/support/vpn+/faq/techfaq.html, and in
> RFC2402 (the AH protocol, IP protocol number 51),
> RFC2406 (the ESP protocol, IP protocol number 50), and RFC2408 (the
> ISAKMP key-exchange protocol).
>
> IPsec is a peer-to-peer protocol. However, since most people will be
> exposed to it in the form of an originate-only Windows client being used
> to access a central network security gateway, "client" will be used to
> refer to the endpoint host that the user is sitting in front of and
> "server" will be used to refer to the central network security gateway.
>
> Important note: If your VPN is based on the AH protocol (including
> AH+ESP), it cannot be masqueraded. The AH protocol specifies a
> cryptographic checksum across portions of the IP header, including the
> IP addresses. IP Masquerade is implemented by modifying the source IP
> address for outbound packets and the destination IP address for inbound
> packets.
> Since the masquerading gateway cannot participate in the encryption key
> exchange, it cannot generate the correct cryptographic checksums for the
> modified IP headers. Thus themodified IP packets will be discarded by
> the recipient as invalid, because they fail the cryptographic checksum
> test.
>
> 2.3 What is PPTP?
>
> PPTP stands for Point-to-Point Tunnelling Protocol. It is a
> Microsoft-proposed protocol for implementing a VPN.
>
> The PPTP VPN protocol consists of two communications channels between
> the client and server: a control channel over which link-management
> information is passed, and a data channel over which (possibly
> encrypted) private network traffic is carried.
>
> The control channel is a standard TCP connection to port 1723 on the
> server. The data channel carrying the private network traffic uses IP
> protocol number 47 (GRE), a generic encapsulation protocol described in
> RFC1701. The transparent transmission of data over the data channel is
> achieved by negotiating a standard PPP connection over it, just as if it
> were a dialup connection directly from the client to the server. The
> options negotiated over the tunnel by PPP control whether the data is
> compressed and/or encrypted, thus PPTP itself has nothing to do with
> encryption.
>
> The details of the PPTP protocol are documented in RFC2637.
>
> Microsoft's implementation of the PPTP protocol is not considered very
> secure. If you're interested in the details, here are three separate
> analyses:
>
> http://www.counterpane.com/pptp.html
> http://www.geek-girl.com/bugtraq/1999_1/0664.html
> http://oliver.efri.hr/~crv/security/bugs/NT/pptp2.html
>
> Hope this clears up any confusion.
> If you want to read the full story, go here.
> http://www.impsec.org/linux/masquerade/VPN-howto/VPN-Masquerade-2.html
> Also note that Freesco seems to support IPSec with a precompiled kernal
> that you subsitute for the base... However, I haven't gotten this
> working yet, I will let all know when I do. And to John, I'm really not
> surprised you've given up, with people giving away the same thing for
> free and lots of different groups and teams working on a project like
> Freesco, its hard to keep up as a one man team.
>
> Craig.
> --
>
> On Tue, 29-May-2001 02:26:30
> Jim Harris wrote:
> >I am a little confused here.....
> >
> >Ian (and others) are clambering for IPSEC masq, (and I'll vote for that
> >too. . . but...)
> >
> >1. Will someone please remind me what it -IS-??
> >2. Stan is making noises like this means STN does not support outbound
> >(from home to work via STN) VPN...... it either does not work - or does
> >not masq properly???
> >
> >The version of STN -I- have, does, repeat DOES support outbound VPN. (I
> >think, but am not sure, that it does not support -INBOUND- VPN)
> >
> >I have a work laptop that I can plug into the network at my job, and due
> >
> >to the way I have DNS configured on my "home" network - I can plug it in
> >
> >here, and it can find the gateway, etc. just fine. In fact, I often use
> >
> >my home network, and associated cable connection thru STN, to make
> >outbound VPN connects to my job. I connect thru to the network -
> >download test files, start servers and services, and otherwise go hog
> >wild. No problem....
> >
> >Maybe I am missing something??
> >
> >Jim
> >
> >Stan Simmons wrote:
> >> I second that! My company will be closing all holes in the firewall and
> >> putting in a VPN system this summer. I am going to have to leave STN
> >> (after
> >> several years of happy use) when this happens unless an update happens
> >> soon.
> >> I am not happy about this.
> >>
> >> Stan
> >>
> >> > -----Original Message-----
> >> > From: Ian McDermid [mailto:[EMAIL PROTECTED]]
> >> > Sent: Monday, May 28, 2001 6:42 PM
> >> > To: '[EMAIL PROTECTED]'
> >> > Subject: [STN] A Final plea to John Lombardo
> >> >
> >> >
> >> > John,
> >> >
> >> > Would you consider releasing a new version say 2.1.4 that
> >> > incorporates kernel 2.0.39. This kernel supports IPSEC
> >> > masquerade. This forum is full of people who want this facility
> >> > so they communicate with PIX/Firewall1 systems.
> >> >
> >> > Regards
> >> >
> >> > Ian
> >> >
> >> > ====================
> >> > Transfer balances from high-interest credit cards to your
> >> > NextCard� Visa� and start saving money instantly! Apply Now!
> >> > http://click.topica.com/caaacd1bz8Rp2bAfyGsf/NextCard
> >> > ====================
> >> >
> >> > --
> >> > Visit http://www.ShareTheNet.com for info about ShareTheNet
> >> > Visit http://www.topica.com/lists/sharethenet for info about this list
> >> > To Unsubscribe send email to: [EMAIL PROTECTED]
> >> >
> >> >
> >>
> >
> >============================================================
> >Visit Ancestry.com for a FREE 14-Day Trial and enjoy access
> >to the No. 1 Source for Family History Online. Search over 1
> >Billion names and trace your family tree today. Click here:
> >http://click.topica.com/caaab7bbz8Rp2bAnyJXf/MyFamily
> >============================================================
> >
> >--
> >Visit http://www.ShareTheNet.com for info about ShareTheNet
> >Visit http://www.topica.com/lists/sharethenet for info about this list
> >To Unsubscribe send email to: [EMAIL PROTECTED]
> >
> >
> >
>
>
> Get 250 color business cards for FREE!
> http://businesscards.lycos.com/vp/fastpath/
=====================================================
You knew it was bound to happen, just not this soon.
Commission-free online stock trading is finally here.
Ladies and gentlemen, the Elephant has arrived...
http://click.topica.com/caaab1Cbz8Rp2bAfyICf/elephantX
=====================================================
--
Visit http://www.ShareTheNet.com for info about ShareTheNet
Visit http://www.topica.com/lists/sharethenet for info about this list
To Unsubscribe send email to: [EMAIL PROTECTED]
==^================================================================
EASY UNSUBSCRIBE click here: http://topica.com/u/?bz8Rp2.bAfyIC
Or send an email To: [EMAIL PROTECTED]
This email was sent to: [email protected]
T O P I C A -- Register now to manage your mail!
http://www.topica.com/partner/tag02/register
==^================================================================
