Re: freeswan: no reply packets / nat
From: Nico Kadel-Garcia (nkadel_at_verizon.net)
Date: 09/11/03
- Previous message: Leura: "Re: Files gradually disappearing"
- In reply to: erik: "Re: freeswan: no reply packets / nat"
- Next in thread: erik: "Re: freeswan: no reply packets / nat"
- Reply: erik: "Re: freeswan: no reply packets / nat"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Sep 2003 01:50:16 GMT
erik wrote:
> Nico Kadel-Garcia wrote:
>
>
>>Floris Martens wrote:
>>
>>
>>>Thomas Wichser wrote:
>>>
>>>
>>>>hello everyone
>>>>
>>>>i try to setup a network-network connection using freeswan. there's
>>>>a netscreen firewall at the other end and my gateway is behind a
>>>>firewall doing nat. there's no port forwarding on my side, because
>>>>just my gateway is allowed to initiate the connection.
>>>
>>>
>>>It probably won't work behind nat. IPsec checksums the ip header, and
>>>on the packet's way out, the nat gateway happily changes the source
>>>ip address, but not the checksum. Rendering the packet invalid
>>>
>>>Floris
>>>
>>
>>I'm using PPTP, from www.poptop.org, with good success. Freeswan and
>>the other IPsec clients make me want to beat the authors with a
>>clue-bat for building into every single client and server the storage
>>of the IPsec passwords as unencrypted flat-text files, readable on the
>>local machines. My suggestions to the authors to alter this to require
>>users to manually enter passwords was blown off with "if your local
>>machine isn't secure, then write it yourself" and "your local machine
>>should be secured".
>
>
> So, start doing some research, and find out that you can use
> certificates.
Gee, you mean a plain-text password structure that's simply much, much
longer? Wow! Now instead of stealing the key files for VPN access
elsewhere through leveraging local access to a client or server, I have
to steal the key files for VPN access elswhere through leveraging local
access to a client or server.
Wait. Somehow, this seems familiar. Hint for the rest of you: having a
password that is a long text key stored locally unencrypted is *almost*
as bad as having the password "love" for your login.
>>Most of the public VPN tools seem to be thesis-avoiding undergrad
>>projects by people who've never written system software.
>
>
> And you're using poptop? Don't make us laugh.
Oh, they do some of it, too. But they seem to have spent some time on
the user interfaces and configuration, which many VPN authors never even
bother with. And it was a *lot* easier to configure a small wrapper to
ask me for a passphrase at run-time to run the PPTP connection than to
try to integrate it into the various other implementations, such as IPsec.
If you've got a tiny little router box both software and hardware
securable as nothing but a stripped down IPsec router for both the
client and server end, great. But most of us don't have backpack space
for another laptop, and if you need to run it on a client in the field,
kiss your client key security goodbye. The concept of keeping clear-text
passkeys on your local disk went out with putting your password on
post-it notes on your monitor: it's just a really, really bad practice.
If you've seen an IPsec system that requires user run-time password
authentication to release the keys for the client, I'd love to see it.
- Previous message: Leura: "Re: Files gradually disappearing"
- In reply to: erik: "Re: freeswan: no reply packets / nat"
- Next in thread: erik: "Re: freeswan: no reply packets / nat"
- Reply: erik: "Re: freeswan: no reply packets / nat"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
