lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040405100454.1757271d.volker.tanger@detewe.de>
From: volker.tanger at detewe.de (Volker Tanger)
Subject: MSN\Qwest ships DSL modem with "unconfigurable"
    firewall

Greetings!

On Fri, 2 Apr 2004 10:19:59 -0700 James Lay <jlay@...riben.com> wrote:

> Real quick...just implemented a Cisco VPN concentrator here and lo and
> behold certain users couldn't get in.  The concentrator is setup with
> the standard UDP port 500.  All users BESIDES MSN\Qwest DSL users
> could get right on.  After a few calls and some frustration, Qwest
> informed us that the firewall on the DSL router they ship is
> "unconfigurable"


That is because you'll need AH/ESP (== IP type 50/51) in addition to
IKE, if you want to implement IPSec VPN.

Most el-cheapo routers only support 
	ICMP (== IP type 1)
	TCP  (== IP type 6) 
and 	UDP  (== IP type 17)

Thus you'd need an encapsulation of ESP traffic like the soft-VPN
clients of Nortel and CheckPoint offer (probably just because of this
problem). Or you'd have to have a router that really supports 
"IPSec-Forwarding" (i.e. blind forwarding of IP types 50+51 to a
specific IP to be configured in the router). Data sheets don't always
tell the truth here, so you really should verify before rollout...  

Qapla'

Volker Tanger
ITK Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ