Security Incidents mailing list archives

Re: isakmp before smtp?

From: Mike Fratto <mfratto () NWC SYR EDU>
Date: Mon, 11 Sep 2000 20:02:55 -0400

Depends on how you configure it. There are two ways to create a IPsec VPN
with W2K and they are very different. You can use the "VPN Adapter" in
Dial-Up Networking which is not the case we care about here. Or you can use
IPsec between W2K machines themselves, which is the case. There are several
ways to configure how connections are processed when IPsec is running in
W2K. You can have it require all connections are run via IPsec. Some
connections can run if the other side or requests or we request IPsec, or
pass in the clear.

Check out
http://www.microsoft.com/windows2000/library/technologies/security/default.asp
for more details

In this case, when the MTA attempts to contact anyone, it will first try to
exchange IKE (UDP port 500) and if that fails, it will just continue the
connection in the clear. If the far end had responded with the next step in
the IKE exchange, the two systems would try to authenticate. If they don't
know each other, the connection would fail at that point. W2K offers three
ways to authenticate with IKE, Kerberos, Certificate, and pre-shared
secret. So unless your talking to another W2K box, your gonna be doing
either certificate of pre-shared secret.

mike



At 06:04 PM 9/11/00 -0500, Frank Knobbe wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Uhm... this maybe a stupid questions, but how is this supposed to
work? Don't you need to have keys exchanged or both systems
configured with a shared secret? How can an IPSec session be set up
to someone who is not somehow listed in the configuration of that
mail server? Is there some kind of free-for-all IPSec?

Regards,
Frank

> -----Original Message-----
> From: Mike Fratto [mailto:mfratto () NWC SYR EDU]
> Sent: Sunday, September 10, 2000 8:42 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: isakmp before smtp?
>
>
> The MTA is a Windows 2000 box that is configured to try to
> use IPsec VPN
> for communications if possible, but fall back to clear text
> in IPsec fails.


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBOb1k/URKym0LjhFcEQL0QACgy3QMFRPCaZMzPhpPH1M4CkjM+GwAoK2u
J09Mkno4pzYxH161YaDR0BmB
=0EJv
-----END PGP SIGNATURE-----


___________________

Mike Fratto
Senior Technology Editor
Network Computing
001 Machinery Hall
Syracuse University
Syracuse, NY  13244

V-(315) 443-2231
F-(315) 443-2277
___________________

Current thread:

isakmp before smtp? Philipp Buehler (Sep 12)
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- Message not available
  - Re: isakmp before smtp? Mike Fratto (Sep 12)
- <Possible follow-ups>
- Re: isakmp before smtp? Frank Knobbe (Sep 12)
  - Re: isakmp before smtp? Mike Fratto (Sep 12)
  - Re: isakmp before smtp? Valdis Kletnieks (Sep 12)
    - Re: isakmp before smtp? Steffen Dettmer (Sep 14)
    - Re: isakmp before smtp? Valdis Kletnieks (Sep 14)
    - Re: isakmp before smtp? Crist Clark (Sep 14)