lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: dgianndrea at (David Gianndrea)
Subject: MSN\Qwest ships DSL modem with "unconfigurable"

Look up NAT-T @ That should help ya!

Volker Tanger wrote:

> Greetings!
> On Fri, 2 Apr 2004 10:19:59 -0700 James Lay <> wrote:
>>Real quick...just implemented a Cisco VPN concentrator here and lo and
>>behold certain users couldn't get in.  The concentrator is setup with
>>the standard UDP port 500.  All users BESIDES MSN\Qwest DSL users
>>could get right on.  After a few calls and some frustration, Qwest
>>informed us that the firewall on the DSL router they ship is
> That is because you'll need AH/ESP (== IP type 50/51) in addition to
> IKE, if you want to implement IPSec VPN.
> Most el-cheapo routers only support 
> 	ICMP (== IP type 1)
> 	TCP  (== IP type 6) 
> and 	UDP  (== IP type 17)
> Thus you'd need an encapsulation of ESP traffic like the soft-VPN
> clients of Nortel and CheckPoint offer (probably just because of this
> problem). Or you'd have to have a router that really supports 
> "IPSec-Forwarding" (i.e. blind forwarding of IP types 50+51 to a
> specific IP to be configured in the router). Data sheets don't always
> tell the truth here, so you really should verify before rollout...  
> Qapla'
> Volker Tanger
> ITK Security
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:

David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.


Powered by blists - more mailing lists