Security Basics mailing list archives
RE: VPN Question
From: "Larry Thompson" <lthompson999 () comcast net>
Date: Tue, 26 Aug 2003 20:42:01 -0400
I can see several possible problems here. First is the issue of NAT transversal. Does your VPN gateway and client software support this feature? It so, the address space that gets assigned when the client connects can possibly be in the same range as the hotel assigned address (you supply 10.0.0.5/24 and the hotel assigns 10.0.0.10/24) the VPN client and gateway can get confused in its routing. Also if the hotel blocks ICMP traffic it will fail. The VPN client (Cisco) must first "ping" the gateway to see if it is available before attempting to send the first UDP packet to setup the tunnel. Other VPN clients can just send out the IKE packet hoping to get a response from the gateway. The one question I have not seen asked is for those that cannot connect, do they get prompted for their credentials and then it fails, or does it pass credentials, setup the tunnel and then fail, or do they not get prompted at all? Larry Thompson CISSP, GSEC -----Original Message----- From: David Burt [mailto:uncue75 () yahoo com] Sent: Monday, August 25, 2003 2:52 PM To: security-basics () securityfocus com Subject: RE: VPN Question I may be wrong, but doesn't this have to do with NAT Traversal not being turned on in their NAT implimentation? very green, so don't flame me if i'm blantantly wrong. A problem we had with some of our users is that the rfc 1918 addresses we give out once someone VPNs in just happned to be part of the same network that the hotel was using in their NAT implimentation. -----Original Message----- From: Dana Smith [mailto:dana_smith () comcast net] Sent: Saturday, August 23, 2003 1:16 AM To: security-basics () securityfocus com Subject: RE: VPN Question This is likely caused by the hotel blocking IPsec traffic, which a number of them do. It's a crap shoot as to which ones block it and I don't believe there is an easy workaround with Sonicwall. You will probably need to consider deploying another VPN client product that allows for alternate protocol VPN traffic. -----Original Message----- From: DeGennaro, Gregory [mailto:Gregory_DeGennaro () csaa com] Sent: Friday, August 22, 2003 4:32 PM To: Jim Brezicky; security-basics () securityfocus com Subject: RE: VPN Question Jim, This is a hotel issue. If it works in some and not in others, it means in this case that the source is the problem. Unless you have round robin VPN IP addresses and your users do not know what the IPs are? Which I highly doubt and why would you want to do this? Regards, Greg DeGennaro Jr., CCNP Security Analyst -----Original Message----- From: Jim Brezicky [mailto:brezicky () infimed com] Sent: Friday, August 22, 2003 10:29 AM To: security-basics () securityfocus com Subject: VPN Question Good afternoon all, This posting is a little off track, but I'm hoping someone can help me anyway. I have a SonicWall Pro230 and I'm trying to do VPN with it. My users connect from some locations and not others. Example: They could connect from the Airport in Cincinnati, but not the airport in Las Vegas. Seems they can't connect in many (if any hotels). In speaking with SonicWall they said this is a known issue when connecting through a firewall on the hotel side. I know I'm not the first company to try this, and was wondering how others get by this issue? Or is this an inherent SonicWall issue. Most of my users are traveling Sales people, and will go all around the US, and Japan. Any insight would be GREATLY appreciated. Thanks, Jim Brezicky InfiMed Inc --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ---------------------------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- Re: VPN Question, (continued)
- Re: VPN Question Gabriel Orozco (Aug 25)
- Re: VPN Question yankl (Aug 25)
- RE: VPN Question Burton M. Strauss III (Aug 25)
- RE: VPN Question Dana Smith (Aug 25)
- RE: VPN Question chort (Aug 25)
- Re: VPN Question Schneider Sebastian (Aug 25)
- FW: VPN Question Atmavidya, Ananda (Aug 25)
- RE: VPN Question Sinha, Amitabh (Amit) (Aug 25)
- RE: VPN Question George Peek (Aug 25)
- RE: VPN Question David Burt (Aug 26)
- RE: VPN Question Larry Thompson (Aug 27)
- Re: VPN Question Leon Toh (Aug 29)