Speaking of 40 hour days, what am I doing at work on a Sunday? Oh wait, thats right, I volunteered to cover for someobody going on a vay-cay-tion. Whatever that is. On to VPN, Its possible that both may have to be opened. I'm not fully clear yet on how it all works, but I think that PPTP may be used as part of IPSEC as a control channel, and therefore port 1723 may have to be opened as well. In any case, there is a lot of things that have to happen, which is why I'm looking for a drop in solution, as opposed to patching the kernal, opening ports, editing config files, and dancing in the moonlight while chanting "IPSEC and PPTP, please God work for me". I'll post any real results that I find, because I'm working 2 12 hour shifts this weeekend it won't happen til next probably. Craig -- On Thu, 31-May-2001 02:06:37 Jim Harris wrote: >No problemo dude! I've worked WAY too many 40 hour days myself... > >Maybe you have to open BOTH? I'm still experimenting with this > >Jim > >Craig Smith wrote: >> Again, for IPSec implementations of VPN, one of the ports that has to be >> opened (UDP) is 500. I am also aware of port 1723 for the PPTP side of >> things. >> If I flubbed up an earlier post I apologize, I have been reading way to >> many technical articals lately to keep track of everything. >> -- >> >> On Wed, 30-May-2001 03:50:43 >> Jim Harris wrote: >> >Craig, >> > >> >UDP port 500 is NOT it. >> > >> >Viz: (Microsoft KB article Q150543 WinNT, Terminal Server & Exchange >> >Service use TCP/IP ports) >> > >> >PPTP TCP:1723 IP Protocol:47 >> > >> >(Also see "Troubleshooting PPTP connectivity issues, KB article Q162847) >> > >> >Does anyone know if IP Protocol 47 is enabled by default? I still do >> >not seem to be able to get thru. >> > >> >Jim >> > >> >Craig Smith wrote: >> >> Hi Jim. >> >> >> >> Indeed, you are missing a small point, and I only point it out as I have >> >> >> >> been researching on this very topic, as I support various VPN and RAS >> >> clients at work. >> >> >> >> For VPNing, there are two protocols, PPTP, and IPSec. PPTP works through >> >> >> >> most firewalls with little or no modification (Opening port UDP port 500 >> >> >> >> usually does the trick). However, the IPSec protocol which Nortel >> >> equipment and many others use does not work without problems. To quote >> >> from Linux VPN Masquerade HOWTO: (Large chunks of quote, sorry to those >> >> this doesn't apply to.) >> >> >> >> 2.10 Why patch the Linux kernel? >> >> >> >> The largest problem in masquerading VPN traffic is that the stock Linux >> >> IP masquerade has no special awareness of IP protocols other than TCP, >> >> UDP and ICMP. >> >> >> >> All IP traffic may be forwarded and filtered by IP address, but >> >> masquerading IP protocols other than TCP, UDP and ICMP requires >> >> modifying the kernel. >> >> >> >> The PPTP control channel is plain TCP and requires no special setup >> >> beyond letting it through the firewall and masquerading it. >> >> >> >> Masquerading the IPsec and PPTP data channels requires a modification >> >> that adds support for the ESP and GRE protocols to the masquerading >> >> code, and masquerading the ISAKMP key exchange protocol requires a >> >> modification that prevents masquerade from altering the UDP source port >> >> number and adds tracking of the ISAKMP cookie values instead of the port >> >> number. >> >> >> >> 2.2 What is IPsec? >> >> >> >> IPsec is a set of standard protocols for implementing secure >> >> communications and encryption key exchange between computers. It can be >> >> used to implement a VPN. >> >> >> >> An IPsec VPN generally consists of two communications channels between >> >> the endpoint hosts: a key-exchange channel over which authentication and >> >> >> >> encryption key information is passed, and one or more data channels over >> >> >> >> which private network traffic is carried. >> >> >> >> The key-exchange channel is a standard UDP connection to and from port >> >> 500. The data channels carrying the traffic between the client and >> >> server use IP protocol number 50 (ESP). >> >> >> >> More information is available in F-Secure's IPsec FAQ at >> >> http://www.Europe.F-Secure.com/support/vpn+/faq/techfaq.html, and in >> >> RFC2402 (the AH protocol, IP protocol number 51), >> >> RFC2406 (the ESP protocol, IP protocol number 50), and RFC2408 (the >> >> ISAKMP key-exchange protocol). >> >> >> >> IPsec is a peer-to-peer protocol. However, since most people will be >> >> exposed to it in the form of an originate-only Windows client being used >> >> >> >> to access a central network security gateway, "client" will be used to >> >> refer to the endpoint host that the user is sitting in front of and >> >> "server" will be used to refer to the central network security gateway. >> >> >> >> Important note: If your VPN is based on the AH protocol (including >> >> AH+ESP), it cannot be masqueraded. The AH protocol specifies a >> >> cryptographic checksum across portions of the IP header, including the >> >> IP addresses. IP Masquerade is implemented by modifying the source IP >> >> address for outbound packets and the destination IP address for inbound >> >> packets. >> >> Since the masquerading gateway cannot participate in the encryption key >> >> exchange, it cannot generate the correct cryptographic checksums for the >> >> >> >> modified IP headers. Thus themodified IP packets will be discarded by >> >> the recipient as invalid, because they fail the cryptographic checksum >> >> test. >> >> >> >> 2.3 What is PPTP? >> >> >> >> PPTP stands for Point-to-Point Tunnelling Protocol. It is a >> >> Microsoft-proposed protocol for implementing a VPN. >> >> >> >> The PPTP VPN protocol consists of two communications channels between >> >> the client and server: a control channel over which link-management >> >> information is passed, and a data channel over which (possibly >> >> encrypted) private network traffic is carried. >> >> >> >> The control channel is a standard TCP connection to port 1723 on the >> >> server. The data channel carrying the private network traffic uses IP >> >> protocol number 47 (GRE), a generic encapsulation protocol described in >> >> RFC1701. The transparent transmission of data over the data channel is >> >> achieved by negotiating a standard PPP connection over it, just as if it >> >> >> >> were a dialup connection directly from the client to the server. The >> >> options negotiated over the tunnel by PPP control whether the data is >> >> compressed and/or encrypted, thus PPTP itself has nothing to do with >> >> encryption. >> >> >> >> The details of the PPTP protocol are documented in RFC2637. >> >> >> >> Microsoft's implementation of the PPTP protocol is not considered very >> >> secure. If you're interested in the details, here are three separate >> >> analyses: >> >> >> >> http://www.counterpane.com/pptp.html >> >> http://www.geek-girl.com/bugtraq/1999_1/0664.html >> >> http://oliver.efri.hr/~crv/security/bugs/NT/pptp2.html >> >> >> >> Hope this clears up any confusion. >> >> If you want to read the full story, go here. >> >> http://www.impsec.org/linux/masquerade/VPN-howto/VPN-Masquerade-2.html >> >> Also note that Freesco seems to support IPSec with a precompiled kernal >> >> that you subsitute for the base... However, I haven't gotten this >> >> working yet, I will let all know when I do. And to John, I'm really not >> >> surprised you've given up, with people giving away the same thing for >> >> free and lots of different groups and teams working on a project like >> >> Freesco, its hard to keep up as a one man team. >> >> >> >> Craig. >> >> -- >> >> >> >> On Tue, 29-May-2001 02:26:30 >> >> Jim Harris wrote: >> >> >I am a little confused here..... >> >> > >> >> >Ian (and others) are clambering for IPSEC masq, (and I'll vote for that >> >> >too. . . but...) >> >> > >> >> >1. Will someone please remind me what it -IS-?? >> >> >2. Stan is making noises like this means STN does not support outbound >> >> >(from home to work via STN) VPN...... it either does not work - or does >> >> >not masq properly??? >> >> > >> >> >The version of STN -I- have, does, repeat DOES support outbound VPN. (I >> >> >think, but am not sure, that it does not support -INBOUND- VPN) >> >> > >> >> >I have a work laptop that I can plug into the network at my job, and due >> >> > >> >> > >> >> >to the way I have DNS configured on my "home" network - I can plug it in >> >> > >> >> > >> >> >here, and it can find the gateway, etc. just fine. In fact, I often use >> >> > >> >> > >> >> >my home network, and associated cable connection thru STN, to make >> >> >outbound VPN connects to my job. I connect thru to the network - >> >> >download test files, start servers and services, and otherwise go hog >> >> >wild. No problem.... >> >> > >> >> >Maybe I am missing something?? >> >> > >> >> >Jim >> >> > >> >> >Stan Simmons wrote: >> >> >> I second that! My company will be closing all holes in the firewall and >> >> >> putting in a VPN system this summer. I am going to have to leave STN >> >> >> (after >> >> >> several years of happy use) when this happens unless an update happens >> >> >> soon. >> >> >> I am not happy about this. >> >> >> >> >> >> Stan >> >> >> >> >> >> > -----Original Message----- >> >> >> > From: Ian McDermid [mailto:[EMAIL PROTECTED]] >> >> >> > Sent: Monday, May 28, 2001 6:42 PM >> >> >> > To: '[EMAIL PROTECTED]' >> >> >> > Subject: [STN] A Final plea to John Lombardo >> >> >> > >> >> >> > >> >> >> > John, >> >> >> > >> >> >> > Would you consider releasing a new version say 2.1.4 that >> >> >> > incorporates kernel 2.0.39. This kernel supports IPSEC >> >> >> > masquerade. This forum is full of people who want this facility >> >> >> > so they communicate with PIX/Firewall1 systems. >> >> >> > >> >> >> > Regards >> >> >> > >> >> >> > Ian >> >> >> > >> >> >> > ==================== >> >> >> > Transfer balances from high-interest credit cards to your >> >> >> > NextCard� Visa� and start saving money instantly! Apply Now! >> >> >> > http://click.topica.com/caaacd1bz8Rp2bAfyGsf/NextCard >> >> >> > ==================== >> >> >> > >> >> >> > -- >> >> >> > Visit http://www.ShareTheNet.com for info about ShareTheNet >> >> >> > Visit http://www.topica.com/lists/sharethenet for info about this list >> >> >> > To Unsubscribe send email to: [EMAIL PROTECTED] >> >> >> > >> >> >> > >> >> >> >> >> > >> >> >============================================================ >> >> >Visit Ancestry.com for a FREE 14-Day Trial and enjoy access >> >> >to the No. 1 Source for Family History Online. Search over 1 >> >> >Billion names and trace your family tree today. Click here: >> >> >http://click.topica.com/caaab7bbz8Rp2bAnyJXf/MyFamily >> >> >============================================================ >> >> > >> >> >-- >> >> >Visit http://www.ShareTheNet.com for info about ShareTheNet >> >> >Visit http://www.topica.com/lists/sharethenet for info about this list >> >> >To Unsubscribe send email to: [EMAIL PROTECTED] >> >> > >> >> > >> >> > >> >> >> >> >> >> Get 250 color business cards for FREE! >> >> http://businesscards.lycos.com/vp/fastpath/ >> > >> >===================================================== >> >You knew it was bound to happen, just not this soon. >> >Commission-free online stock trading is finally here. >> >Ladies and gentlemen, the Elephant has arrived... >> >http://click.topica.com/caaab1Cbz8Rp2bAnyJXf/elephantX >> >===================================================== >> > >> >-- >> >Visit http://www.ShareTheNet.com for info about ShareTheNet >> >Visit http://www.topica.com/lists/sharethenet for info about this list >> >To Unsubscribe send email to: [EMAIL PROTECTED] >> > >> > >> > >> >> >> Get 250 color business cards for FREE! >> http://businesscards.lycos.com/vp/fastpath/ > >===================================================== >You knew it was bound to happen, just not this soon. >Commission-free online stock trading is finally here. >Ladies and gentlemen, the Elephant has arrived... >http://click.topica.com/caaab1Cbz8Rp2bAnyJXf/elephantX >===================================================== > >-- >Visit http://www.ShareTheNet.com for info about ShareTheNet >Visit http://www.topica.com/lists/sharethenet for info about this list >To Unsubscribe send email to: [EMAIL PROTECTED] > > > Get 250 color business cards for FREE! http://businesscards.lycos.com/vp/fastpath/ ============================================================ Imagine-Your-Name-Here.com Wouldn�t it be great to have your own personalized Domain Name? New Domains & Transfers $8.95/yr & lower. GoDaddy.com is an ICANN ACCREDITED registrar. ACT NOW! http://click.topica.com/caaab3Kbz8Rp2bAfyICf/GoDaddy ============================================================ -- Visit http://www.ShareTheNet.com for info about ShareTheNet Visit http://www.topica.com/lists/sharethenet for info about this list To Unsubscribe send email to: [EMAIL PROTECTED] ==^================================================================ EASY UNSUBSCRIBE click here: http://topica.com/u/?bz8Rp2.bAfyIC Or send an email To: [EMAIL PROTECTED] This email was sent to: [email protected] T O P I C A -- Register now to manage your mail! http://www.topica.com/partner/tag02/register ==^================================================================
