| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dgianndrea at comsquared.com (David Gianndrea)
Subject: MSN\Qwest ships DSL modem with "unconfigurable"
firewall
Look up NAT-T @ cisco.com. That should help ya!
Volker Tanger wrote:
> Greetings!
>
> On Fri, 2 Apr 2004 10:19:59 -0700 James Lay <jlay@...riben.com> wrote:
>
>
>>Real quick...just implemented a Cisco VPN concentrator here and lo and
>>behold certain users couldn't get in. The concentrator is setup with
>>the standard UDP port 500. All users BESIDES MSN\Qwest DSL users
>>could get right on. After a few calls and some frustration, Qwest
>>informed us that the firewall on the DSL router they ship is
>>"unconfigurable"
>
>
>
> That is because you'll need AH/ESP (== IP type 50/51) in addition to
> IKE, if you want to implement IPSec VPN.
>
> Most el-cheapo routers only support
> ICMP (== IP type 1)
> TCP (== IP type 6)
> and UDP (== IP type 17)
>
> Thus you'd need an encapsulation of ESP traffic like the soft-VPN
> clients of Nortel and CheckPoint offer (probably just because of this
> problem). Or you'd have to have a router that really supports
> "IPSec-Forwarding" (i.e. blind forwarding of IP types 50+51 to a
> specific IP to be configured in the router). Data sheets don't always
> tell the truth here, so you really should verify before rollout...
>
> Qapla'
>
> Volker Tanger
> ITK Security
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.
Email: dgianndrea@...squared.com
Web: www.comsquared.com
Powered by blists - more mailing lists