lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: volker.tanger at (Volker Tanger)
Subject: MSN\Qwest ships DSL modem with "unconfigurable"


On Fri, 2 Apr 2004 10:19:59 -0700 James Lay <> wrote:

> Real quick...just implemented a Cisco VPN concentrator here and lo and
> behold certain users couldn't get in.  The concentrator is setup with
> the standard UDP port 500.  All users BESIDES MSN\Qwest DSL users
> could get right on.  After a few calls and some frustration, Qwest
> informed us that the firewall on the DSL router they ship is
> "unconfigurable"

That is because you'll need AH/ESP (== IP type 50/51) in addition to
IKE, if you want to implement IPSec VPN.

Most el-cheapo routers only support 
	ICMP (== IP type 1)
	TCP  (== IP type 6) 
and 	UDP  (== IP type 17)

Thus you'd need an encapsulation of ESP traffic like the soft-VPN
clients of Nortel and CheckPoint offer (probably just because of this
problem). Or you'd have to have a router that really supports 
"IPSec-Forwarding" (i.e. blind forwarding of IP types 50+51 to a
specific IP to be configured in the router). Data sheets don't always
tell the truth here, so you really should verify before rollout...  


Volker Tanger
ITK Security

Powered by blists - more mailing lists