[ale] VPN (s are) hell

Bob Toxen bob at verysecurelinux.com
Fri May 13 17:57:02 EDT 2005 

On Fri, May 13, 2005 at 01:17:27PM -0400, Bob Toxen wrote:
> I'm available on a consulting basis and have extensive VPN and FW experience.
I meant for this email to be a private email to the original poster.  I
apologize for bothering the rest of ALE with that email.  (I just got back
yesterday from a 9-day trip and was processing several thousand emails
beyond critical ones forwarded to a web-based account.)

Thanks,
Bob

> Best regards,

> Bob Toxen, CTO
> Fly-By-Day Consulting, Inc.
> d/b/a Horizon Network Security
> "Your expert in Firewalls, Virus and Spam Filters, VPNs,
> Network Monitoring, and Network Security consulting"

> http://www.verysecurelinux.com       [Network & Linux/Unix Security Consulting]
> http://www.realworldlinuxsecurity.com [My 5* book: "Real World Linux Security"]
> http://www.verysecurelinux.com/sunset.html                    [Sunset Computer]
> bob at verysecurelinux.com (e-mail)
> +1 770-662-8321  (Office: 10am-6pm M-F US Eastern Time)
> +1 404-216-5100  (Cell away from office)

> My recent training and talks on Linux security include:
>   at IBM's Linux Competency Center in New York City     on Mar.  06   2003
>   at the Atlanta SecureWorld Expo in Atlanta            on May   22   2003
>   at the Enterprise Linux Forum in Silicon Valley       on June  04   2003
>   at Computer Associates' Atlanta Linux Security Summit on Sep.  16   2003
>   in New Jersey                                         on Oct. 27-30 2003
>   at Southeast Cybercrime Summit in Atlanta             on Mar.   4   2004
>   at the FBI's Atlanta headquarters                     on Mar.  10   2004
>   in Denver, CO                                         on Apr. 15-16 2004
>   in New Jersey                                         on May. 25-26 2004
>   at the Atlanta SecureWorld Expo in Atlanta            on May   27   2004
>   in Denver, CO                                         on Jul. 12-13 2004
>   at Linux World SF signing at Prentice Hall's booth    on Aug.  03   2004
>   in Denver, CO                                         on Sep. 27-28 2004
>   in Boston, MA                                         on Oct. 11-14 2004
>   at Atlanta Unix Users Group                           on Nov.  01   2004
>   in New Jersey                                         on Nov. 15-16 2004
>   in Denver, CO                                         on 2/28-3/04  This Year

> Author,
> "Real World Linux Security: Intrusion Detection, Prevention, and Recovery"
> 2nd Ed., Prentice Hall, (C) 2003, 848 pages, ISBN: 0130464562
> Also available in Japanese, Chinese, Czech, and Polish.

> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked.
> -- White House cybersecurity adviser Richard Clarke

> Public key available at http://www.verysecurelinux.com/pubkey.txt, keyservers,
>   and on the CD-ROM that comes sealed and attached to Real World Linux Security
> pub  1024D/E3A1C540 2000-06-21 Bob Toxen <book at realworldlinuxsecurity.com>
>      Key fingerprint = 30BA AA0A 31DD B68B 47C9  601E 96D3 533D E3A1 C540
> sub  2048g/03FFCCB9 2000-06-21

> On Tue, May 03, 2005 at 11:45:21PM -0400, James P. Kinney III wrote:
> > I have a new VPN I'm setting up and it just isn't working right. I'm
> > sure its a firewall issue but I'm stumped.
> > 
> > It's a net-to-net setup using OpenSwan on the gateways. From one end on
> > the LAN, I can ping another machine on the other LAN by IP address.
> > However, I _can't_ ping back the other way which is why I think it's a
> > firewall issue. I can see the traffic moving with tcpdump running on
> > multiple interfaces. I can see the ESP packets leaving and returning to
> > the external interfaces and I can the the decrypted packets entering the
> > LAN interfaces. I did some ping size tests and can get a max MTU of
> > 15236 which is bigger than normal.
> > 
> > I can't get jack else through the tunnel. No ssh, no http, no netbios,
> > no telnet, nada, bipcus. 
> > 
> > I set up a rule in iptables  on both ends to not NAT the traffic for the
> > other end (I don't expect I should be seeing any pings work otherwise).
> > 
> > I have both ends of the firewall so open I'm worried right now.
> > 
> > So I have developed a one way ping tunnel.  Argghhhhh.
> > -- 
> > James P. Kinney III          \Changing the mobile computing world/
> > CEO & Director of Engineering \          one Linux user         /
> > Local Net Solutions,LLC        \           at a time.          /
> > 770-493-8244                    \.___________________________./
> > http://www.localnetsolutions.com
> > 
> > GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> > <jkinney at localnetsolutions.com>
> > Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7

More information about the Ale mailing list