Re: DFL-300 IPSEC VPN's only works if your remote client is open wide open on the internet! Sucks!
From: Ozkan Aziz (ozkan_aziz_at_hotmail.com)
Date: 04/15/04
- Next message: Kerodo: "DHCP stuff"
- Previous message: Chris: "Re: checkpoint secure client VPN-1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 15 Apr 2004 01:26:29 -0700
Here is the Problem (I think), you are using a DFL-300 in
Encapsulating Security Mode (ESP) WITH AUTHENTICATION! When using ESP
in this manner and tunneling, a Message Authentication Code (MAC) is
generated on the:
1) ESP header
2) Payload (ie, the encapsulated "inner IP header" and the payload for
that datagram).
3) part of the ESP trailer.
for the external tunnel from host-to-gateway after encapsulation - NOT
A PROBLEM. I suspect that the problem is in the Authentication part of
the setup.
I think an Authentication Header (AH) is used to authenticate the
inner IP datagram, that is to generate a MAC for all immutable fields
of the inner IP datagram before encapsulation, thus when the router
changes the IP address from internal to external the MAC does not
compute correctly hence a failed connection.
In addition, im not sure which way round this is done (i.e. AH first
then ESP) but is ESP is done first then AH this would explain why the
VPN works when connected to a "RAW INTERNET CONNECTION" and not from a
NATed environment.
I would think that the only way to correct this issue, and use the VPN
software in a NATed environment would be to stop authentication and
use ESP in tunnel mode with confidentiality only. This increases the
possibility of replay attacks however how likely is this to really
take place!
OZ :)
defilm@acm.org (defilm) wrote in message news:<59968f46.0403281002.386d65df@posting.google.com>...
> Duane Arnold <notme@notme.com> wrote in message news:<Xns94B9B35A19F4notmwnotmecom@216.148.227.77>...
> > defilm@acm.org (defilm) wrote in
> > news:59968f46.0403271457.4ce461bf@posting.google.com:
> >
> > > Well,
> > >
> > > At this point I have been able to get IPSEC VPN's to work on the
> > > DFL-300 using the SafeNet software (latest with Zone alarm), ONLY by
> > > putting my PC directly on the internet and disabling all firewall
> > > software! And this is what DLINK's knowledgebase recommends! It is
> > > what their examples recommends!
> >
> > Are you trying to make a VPN connection somewhere? You do know that there
> > must be two valid VPN endpoints. So if you're doing VPN on your end and
> > there is no valid VPN connection on the other end over the Internet, it
> > is not an encrypted VPN connection.
> >
> > And if the machine is setting behind a NAT router that is protecting it
> > from unsolicited inbound on the ports, then why do you need a host based
> > FW on the machine for a valid VPN connection over the Internet, if the
> > router is there and Port Forwarding on the router is not being used? I
> > think that's the point being made in dropping the host based FW on the
> > machine.
> >
> > The only valid VPN connection that you can have is VPN between two
> > machines on your LAN, unless you are in fact trying to make a vaild VPN
> > connection to your company's network that requires a VPN connection as an
> > example.
> >
>
> My PC is sitting on a 10/8 network behind a Checkpoint MG firewall I
> admin. I allow IPSEC passthrough and I allow UDP virtual connectivity.
> (A simple check box that provides any PC on the inside the ability to
> received a UDP IKE port 500 response without having to use any port
> forwarding as you do on the "home based" consumer based firewalls.
>
> using the same Safenet client, I can connect in to our production
> Netscreen VPN firewall, and our Checkpoint FW-1 firewalls. I can also
> use the same Safenet client to connect in to a Netgear FVL-328. NO
> problems.
>
> I have also configured a different PC with simple XP IPSEC. VPN
> filters both directions, works fine in to the Checkpoint and
> Netscreen. (Didn't try the Netgear yet).
>
> > >
> > > IPSEC via WINXP, not a problem, again as long as you are on a
> > > direct real Internet IP (NO NAT), and No firewalls!
> > >
> > > What company would be stupid enouth to market a firewall that requires
> > > the remote clients to be wide open on the internet without a
> > > firewall???? That is so sick, and a rip off.
> >
> > Does a D-Link router have a FW, I don't think so. Maybe, it's got NAT and
> > SPI with some FW like abilities. But it is not a FW appliance. The router
> > also has some VPN protocols that will allow the router to make a valid
> > VPN connection to another network that requires a VPN connection.
>
> Does what Dlink have a firewall? The DFL-300? It is a SPI based
> firewall/VPN device. It provides PPTP, and IPSEC passthru. It is a VPN
> endpoint (or so it claims).
>
> PPTP works fine. IPSEC does not get past the IKE Phase I. Client
> indicates that
> there is NO response from DFL-300. Trace on Checkpoint F/w verifies
> thre is no reponse.
>
> If I put my PC in front of the Checkpoint FW (right out on the raw
> internet), I can get a IPSEC VPN from my PC running Safenet, or even
> (surprise, surprise, MS anything IPSEC), no problem. But then again,
> the PC's have REAL IP addresses
> not NAT.
>
> Turning on the simple Firewall provided by Safenet, and enabling IKE
> port forwarding works as well. I have a Real Intenet IP. So it appears
> the DFL-300
> does not support a NAT'ed client. No O' NATT
>
> >
> > >
> > > I may not be able to get my money back from PC-Connection, but I am
> > > filing a fraud complaint with the NY State Attorney Generals office.
> > >
> > > Best the DFL-300 can do with a NAT'ed client is PPTP with the 2.36
> > > firmware. Another piece of Junk from the friends at DLINK.
> >
> > Do you really know what you're doing with the technology?
> >
> > Duane :)
>
> Well, I have been a network architect for 20 years. I have been
> spending a lot of time on VPN connectivity lately via products like
> Aventail, Netivity, Net6. Been working with VPN's and professional
> firewalls since the battle between TIS Gauntlet, and Checkpoint, and
> the inception of the Internet. I am very well educated in EE and CS,
> and have designed and coded my own SHIM based application security
> token passing protocol technology to provide connectivity to legacy
> ap's on DECnet systems and secure them for VPN access from corporate
> employees for which I receive license fees.
>
> So I know a something about this stuff. I don't claim to be an expert
> (who really is), but yea, I think I know what is going on here.
>
> You asked if it has a firewall? You are questioning if I know this
> technology? Geez, Key encryption technologies (secure ones at least)
> date back to Diffi-Huff in the mid 70's. Everyone should know this
> stuff.
>
> I will gladly send a paypal payment of $100 to anyone who can provide
> a method of connecting IPSEC via a Safenet client to a DFL-300 when
> the client is on private IP space. On my honor.
>
> Mark J. DeFilippis
> defilm@acm.org
> 1-212-632-1928
- Next message: Kerodo: "DHCP stuff"
- Previous message: Chris: "Re: checkpoint secure client VPN-1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
