No problemo dude! I've worked WAY too many 40 hour days myself...
Maybe you have to open BOTH? I'm still experimenting with this
Jim
Craig Smith wrote:
> Again, for IPSec implementations of VPN, one of the ports that has to be
> opened (UDP) is 500. I am also aware of port 1723 for the PPTP side of
> things.
> If I flubbed up an earlier post I apologize, I have been reading way to
> many technical articals lately to keep track of everything.
> --
>
> On Wed, 30-May-2001 03:50:43
> Jim Harris wrote:
> >Craig,
> >
> >UDP port 500 is NOT it.
> >
> >Viz: (Microsoft KB article Q150543 WinNT, Terminal Server & Exchange
> >Service use TCP/IP ports)
> >
> >PPTP TCP:1723 IP Protocol:47
> >
> >(Also see "Troubleshooting PPTP connectivity issues, KB article Q162847)
> >
> >Does anyone know if IP Protocol 47 is enabled by default? I still do
> >not seem to be able to get thru.
> >
> >Jim
> >
> >Craig Smith wrote:
> >> Hi Jim.
> >>
> >> Indeed, you are missing a small point, and I only point it out as I have
> >>
> >> been researching on this very topic, as I support various VPN and RAS
> >> clients at work.
> >>
> >> For VPNing, there are two protocols, PPTP, and IPSec. PPTP works through
> >>
> >> most firewalls with little or no modification (Opening port UDP port 500
> >>
> >> usually does the trick). However, the IPSec protocol which Nortel
> >> equipment and many others use does not work without problems. To quote
> >> from Linux VPN Masquerade HOWTO: (Large chunks of quote, sorry to those
> >> this doesn't apply to.)
> >>
> >> 2.10 Why patch the Linux kernel?
> >>
> >> The largest problem in masquerading VPN traffic is that the stock Linux
> >> IP masquerade has no special awareness of IP protocols other than TCP,
> >> UDP and ICMP.
> >>
> >> All IP traffic may be forwarded and filtered by IP address, but
> >> masquerading IP protocols other than TCP, UDP and ICMP requires
> >> modifying the kernel.
> >>
> >> The PPTP control channel is plain TCP and requires no special setup
> >> beyond letting it through the firewall and masquerading it.
> >>
> >> Masquerading the IPsec and PPTP data channels requires a modification
> >> that adds support for the ESP and GRE protocols to the masquerading
> >> code, and masquerading the ISAKMP key exchange protocol requires a
> >> modification that prevents masquerade from altering the UDP source port
> >> number and adds tracking of the ISAKMP cookie values instead of the port
> >> number.
> >>
> >> 2.2 What is IPsec?
> >>
> >> IPsec is a set of standard protocols for implementing secure
> >> communications and encryption key exchange between computers. It can be
> >> used to implement a VPN.
> >>
> >> An IPsec VPN generally consists of two communications channels between
> >> the endpoint hosts: a key-exchange channel over which authentication and
> >>
> >> encryption key information is passed, and one or more data channels over
> >>
> >> which private network traffic is carried.
> >>
> >> The key-exchange channel is a standard UDP connection to and from port
> >> 500. The data channels carrying the traffic between the client and
> >> server use IP protocol number 50 (ESP).
> >>
> >> More information is available in F-Secure's IPsec FAQ at
> >> http://www.Europe.F-Secure.com/support/vpn+/faq/techfaq.html, and in
> >> RFC2402 (the AH protocol, IP protocol number 51),
> >> RFC2406 (the ESP protocol, IP protocol number 50), and RFC2408 (the
> >> ISAKMP key-exchange protocol).
> >>
> >> IPsec is a peer-to-peer protocol. However, since most people will be
> >> exposed to it in the form of an originate-only Windows client being used
> >>
> >> to access a central network security gateway, "client" will be used to
> >> refer to the endpoint host that the user is sitting in front of and
> >> "server" will be used to refer to the central network security gateway.
> >>
> >> Important note: If your VPN is based on the AH protocol (including
> >> AH+ESP), it cannot be masqueraded. The AH protocol specifies a
> >> cryptographic checksum across portions of the IP header, including the
> >> IP addresses. IP Masquerade is implemented by modifying the source IP
> >> address for outbound packets and the destination IP address for inbound
> >> packets.
> >> Since the masquerading gateway cannot participate in the encryption key
> >> exchange, it cannot generate the correct cryptographic checksums for the
> >>
> >> modified IP headers. Thus themodified IP packets will be discarded by
> >> the recipient as invalid, because they fail the cryptographic checksum
> >> test.
> >>
> >> 2.3 What is PPTP?
> >>
> >> PPTP stands for Point-to-Point Tunnelling Protocol. It is a
> >> Microsoft-proposed protocol for implementing a VPN.
> >>
> >> The PPTP VPN protocol consists of two communications channels between
> >> the client and server: a control channel over which link-management
> >> information is passed, and a data channel over which (possibly
> >> encrypted) private network traffic is carried.
> >>
> >> The control channel is a standard TCP connection to port 1723 on the
> >> server. The data channel carrying the private network traffic uses IP
> >> protocol number 47 (GRE), a generic encapsulation protocol described in
> >> RFC1701. The transparent transmission of data over the data channel is
> >> achieved by negotiating a standard PPP connection over it, just as if it
> >>
> >> were a dialup connection directly from the client to the server. The
> >> options negotiated over the tunnel by PPP control whether the data is
> >> compressed and/or encrypted, thus PPTP itself has nothing to do with
> >> encryption.
> >>
> >> The details of the PPTP protocol are documented in RFC2637.
> >>
> >> Microsoft's implementation of the PPTP protocol is not considered very
> >> secure. If you're interested in the details, here are three separate
> >> analyses:
> >>
> >> http://www.counterpane.com/pptp.html
> >> http://www.geek-girl.com/bugtraq/1999_1/0664.html
> >> http://oliver.efri.hr/~crv/security/bugs/NT/pptp2.html
> >>
> >> Hope this clears up any confusion.
> >> If you want to read the full story, go here.
> >> http://www.impsec.org/linux/masquerade/VPN-howto/VPN-Masquerade-2.html
> >> Also note that Freesco seems to support IPSec with a precompiled kernal
> >> that you subsitute for the base... However, I haven't gotten this
> >> working yet, I will let all know when I do. And to John, I'm really not
> >> surprised you've given up, with people giving away the same thing for
> >> free and lots of different groups and teams working on a project like
> >> Freesco, its hard to keep up as a one man team.
> >>
> >> Craig.
> >> --
> >>
> >> On Tue, 29-May-2001 02:26:30
> >> Jim Harris wrote:
> >> >I am a little confused here.....
> >> >
> >> >Ian (and others) are clambering for IPSEC masq, (and I'll vote for that
> >> >too. . . but...)
> >> >
> >> >1. Will someone please remind me what it -IS-??
> >> >2. Stan is making noises like this means STN does not support outbound
> >> >(from home to work via STN) VPN...... it either does not work - or does
> >> >not masq properly???
> >> >
> >> >The version of STN -I- have, does, repeat DOES support outbound VPN. (I
> >> >think, but am not sure, that it does not support -INBOUND- VPN)
> >> >
> >> >I have a work laptop that I can plug into the network at my job, and due
> >> >
> >> >
> >> >to the way I have DNS configured on my "home" network - I can plug it in
> >> >
> >> >
> >> >here, and it can find the gateway, etc. just fine. In fact, I often use
> >> >
> >> >
> >> >my home network, and associated cable connection thru STN, to make
> >> >outbound VPN connects to my job. I connect thru to the network -
> >> >download test files, start servers and services, and otherwise go hog
> >> >wild. No problem....
> >> >
> >> >Maybe I am missing something??
> >> >
> >> >Jim
> >> >
> >> >Stan Simmons wrote:
> >> >> I second that! My company will be closing all holes in the firewall and
> >> >> putting in a VPN system this summer. I am going to have to leave STN
> >> >> (after
> >> >> several years of happy use) when this happens unless an update happens
> >> >> soon.
> >> >> I am not happy about this.
> >> >>
> >> >> Stan
> >> >>
> >> >> > -----Original Message-----
> >> >> > From: Ian McDermid [mailto:[EMAIL PROTECTED]]
> >> >> > Sent: Monday, May 28, 2001 6:42 PM
> >> >> > To: '[EMAIL PROTECTED]'
> >> >> > Subject: [STN] A Final plea to John Lombardo
> >> >> >
> >> >> >
> >> >> > John,
> >> >> >
> >> >> > Would you consider releasing a new version say 2.1.4 that
> >> >> > incorporates kernel 2.0.39. This kernel supports IPSEC
> >> >> > masquerade. This forum is full of people who want this facility
> >> >> > so they communicate with PIX/Firewall1 systems.
> >> >> >
> >> >> > Regards
> >> >> >
> >> >> > Ian
> >> >> >
> >> >> > ====================
> >> >> > Transfer balances from high-interest credit cards to your
> >> >> > NextCard� Visa� and start saving money instantly! Apply Now!
> >> >> > http://click.topica.com/caaacd1bz8Rp2bAfyGsf/NextCard
> >> >> > ====================
> >> >> >
> >> >> > --
> >> >> > Visit http://www.ShareTheNet.com for info about ShareTheNet
> >> >> > Visit http://www.topica.com/lists/sharethenet for info about this list
> >> >> > To Unsubscribe send email to: [EMAIL PROTECTED]
> >> >> >
> >> >> >
> >> >>
> >> >
> >> >============================================================
> >> >Visit Ancestry.com for a FREE 14-Day Trial and enjoy access
> >> >to the No. 1 Source for Family History Online. Search over 1
> >> >Billion names and trace your family tree today. Click here:
> >> >http://click.topica.com/caaab7bbz8Rp2bAnyJXf/MyFamily
> >> >============================================================
> >> >
> >> >--
> >> >Visit http://www.ShareTheNet.com for info about ShareTheNet
> >> >Visit http://www.topica.com/lists/sharethenet for info about this list
> >> >To Unsubscribe send email to: [EMAIL PROTECTED]
> >> >
> >> >
> >> >
> >>
> >>
> >> Get 250 color business cards for FREE!
> >> http://businesscards.lycos.com/vp/fastpath/
> >
> >=====================================================
> >You knew it was bound to happen, just not this soon.
> >Commission-free online stock trading is finally here.
> >Ladies and gentlemen, the Elephant has arrived...
> >http://click.topica.com/caaab1Cbz8Rp2bAnyJXf/elephantX
> >=====================================================
> >
> >--
> >Visit http://www.ShareTheNet.com for info about ShareTheNet
> >Visit http://www.topica.com/lists/sharethenet for info about this list
> >To Unsubscribe send email to: [EMAIL PROTECTED]
> >
> >
> >
>
>
> Get 250 color business cards for FREE!
> http://businesscards.lycos.com/vp/fastpath/
=====================================================
You knew it was bound to happen, just not this soon.
Commission-free online stock trading is finally here.
Ladies and gentlemen, the Elephant has arrived...
http://click.topica.com/caaab1Cbz8Rp2bAfyICf/elephantX
=====================================================
--
Visit http://www.ShareTheNet.com for info about ShareTheNet
Visit http://www.topica.com/lists/sharethenet for info about this list
To Unsubscribe send email to: [EMAIL PROTECTED]
==^================================================================
EASY UNSUBSCRIBE click here: http://topica.com/u/?bz8Rp2.bAfyIC
Or send an email To: [EMAIL PROTECTED]
This email was sent to: [email protected]
T O P I C A -- Register now to manage your mail!
http://www.topica.com/partner/tag02/register
==^================================================================
