Re: VPN gateway
hello, i think you are using the ipsec.exe on http://vpn.ebootis.de on win2k/xp side to generate the policies. in this case you should also take a look on http://vpn.ebootis.de/ipsec-conf.htm for the windoze ipsec.conf buz On Son, 2003-05-25 at 17:53, Craig wrote: > Hi Guys > > Having a few problems with setting up a VPN gateway on Linux, > specifically a debian firewall box and having windows 2000 > boxes authenticate using certs. > > I have generated a cert for the gateway machine using the openssl packages > and installed it. I have also configured freeswan to the best of my > knowledge and then generated a cert for a test windows 2000 machine and > afaik they are not authenticating. > > Here is a copy of the freeswan config file on the VPN gateway: > > > > # /etc/ipsec.conf - FreeS/WAN IPsec configuration file > > # More elaborate and more varied sample configurations can be found > # in FreeS/WAN's doc/examples file, and in the HTML documentation. > > > > # basic configuration > config setup > interfaces=%defaultroute > klipsdebug=none > plutodebug=none > plutoload=%search > plutostart=%search > uniqueids=yes > > > > # defaults for subsequent connection descriptions > # (mostly to fix internal defaults which, in retrospect, were badly chosen) > conn %default > keyingtries=2 > compress=yes > disablearrivalcheck=no > authby=rsasig > leftrsasigkey=%cert > rightrsasigkey=%cert > > > > conn roadwarrior-net > leftsubnet=10.3.0.0/23 > also=roadwarrior > > > > conn roadwarrior > right=%any > left=%defaultroute > leftcert=gateway.pem > auto=add > pfs=yes > > And here is a copy of the ipsec.conf file on the windows 2000 box: > > # /etc/ipsec.conf - FreeS/WAN IPsec configuration file > > # More elaborate and more varied sample configurations can be found > # in FreeS/WAN's doc/examples file, and in the HTML documentation. > > > > # basic configuration > config setup > interfaces=%defaultroute > klipsdebug=none > plutodebug=none > plutoload=%search > plutostart=%search > uniqueids=yes > > > > # defaults for subsequent connection descriptions > # (mostly to fix internal defaults which, in retrospect, were badly chosen) > conn %default > keyingtries=2 > compress=yes > disablearrivalcheck=no > authby=rsasig > leftrsasigkey=%cert > rightrsasigkey=%cert > > > > conn roadwarrior-net > leftsubnet=10.3.0.0/23 > also=roadwarrior > > > > conn roadwarrior > right=%any > left=%defaultroute > leftcert=gw.frame.co.za.pem > auto=add > pfs=yes > > Any help would be appreciated. > > ..c >
RE: Routingtable vulnerability
Hi, is there really nobody who knows anything about this vulnerability? We use Debian Woody as firewall ... Sincerely, Thomas >-Original Message- >From: www-data [mailto:[EMAIL PROTECTED] Behalf Of >[EMAIL PROTECTED] >Sent: Wednesday, May 21, 2003 11:50 AM >To: debian-isp@lists.debian.org >Subject: Routingtable vulnerability > > > > >Due to the fact that I'm only subscribed to two Debian related Mailinglists >(debian-isp and security-announce) I haven't heard of any discussions about the >newly discoverd Kernel vulnerability (Routingtables, >http://rhn.redhat.com/errata/RHSA-2003-172.html). >Has this been discussed on Debian-Lists and are there any countermesasures >recommended? > >Best Regards, >Dominik Schulz > >- >This mail sent through IMP: http://horde.org/imp/ > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: Routingtable vulnerability
On Monday 26 May 2003 11:47, Thomas Hebinck wrote: > Hi, > > is there really nobody who knows anything about this vulnerability? > We use Debian Woody as firewall ... A new Debian kernel-sources (and, IIRC, also kernel-image-...) package is out with the routing table fix, also adds a few other fixes. kernel-source-2.4.20 2.4.20-7 is in unstable and in testing/proposed-updates if I understand this correctly. -- vbi -- featured link: http://fortytwo.ch/time pgpAehe1sJDve.pgp Description: signature
RE: Routingtable vulnerability
Hi, thanks! :-) Thomas. >-Original Message- >From: Adrian 'Dagurashibanipal' von Bidder [mailto:[EMAIL PROTECTED] >Sent: Monday, May 26, 2003 12:50 PM >To: debian-isp@lists.debian.org >Subject: Re: Routingtable vulnerability > > >On Monday 26 May 2003 11:47, Thomas Hebinck wrote: >> Hi, >> >> is there really nobody who knows anything about this vulnerability? >> We use Debian Woody as firewall ... > >A new Debian kernel-sources (and, IIRC, also kernel-image-...) package is out >with the routing table fix, also adds a few other fixes. > >kernel-source-2.4.20 2.4.20-7 is in unstable and in testing/proposed-updates >if I understand this correctly. > >-- vbi > >-- >featured link: http://fortytwo.ch/time >
Re: Routingtable vulnerability
Thomas, My brother tells me that there has been some discussion about this on the kernel list. RedHat's patch was applied to 2.4.21 (plus 2.5.69) but people are reporting that the patch breaks other things so it is not yet ready for prime time. At this point this remains only a theoretical flaw which someone noticed while hacking on the kernel. No one has shown an actual exploit. Until the kernel hackers can do their thing, there isn't much the Debian project can do. You may want to monitor the kernel list for more up-to-date information. Pete -- http://www.elbnet.com ELB Internet Service, Inc. Web Design, Computer Consulting, Internet Hosting Thomas Hebinck wrote: > > Hi, > > is there really nobody who knows anything about this vulnerability? > We use Debian Woody as firewall ... > > Sincerely, > Thomas > > >-Original Message- > >From: www-data [mailto:[EMAIL PROTECTED] Behalf Of > >[EMAIL PROTECTED] > >Sent: Wednesday, May 21, 2003 11:50 AM > >To: debian-isp@lists.debian.org > >Subject: Routingtable vulnerability > > > > > > > > > >Due to the fact that I'm only subscribed to two Debian related Mailinglists > >(debian-isp and security-announce) I haven't heard of any discussions about > >the > >newly discoverd Kernel vulnerability (Routingtables, > >http://rhn.redhat.com/errata/RHSA-2003-172.html). > >Has this been discussed on Debian-Lists and are there any countermesasures > >recommended? > > > >Best Regards, > >Dominik Schulz > > > >- > >This mail sent through IMP: http://horde.org/imp/ > > > > > >-- > >To UNSUBSCRIBE, email to [EMAIL PROTECTED] > >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: German KK-applications and domain transfers
* [EMAIL PROTECTED] (Thomas Lamy) [2003.05.24 15:41]: > Cameron Moore wrote: > > This is a little off-topic, but I figure someone here has to > > know this. > > > > A customer of mine is wanting to buy a domain from a German citizen. > > They tell me that the German told them to fill out a KK-application to > > get the domain transferred. Can anyone tell me where to get more info > > on this KK-application (preferrably in English)? My googling > > has turned > > up nothing informative. > > > > Also, does anyone know if this is really necessary? Can we not just > > request the tranfer with our Registrar and let the registrars > > take care > > of the authentication and validation? Thanks > > The procedure for .de domain transfers is: First, thanks everyone for you replies. From the list replies and the private replies I've received, I think I have a clear understanding of how this works now. One thing I forgot to mention was that the domain is a .ORG, which makes a big difference. Anyway, as I said, thanks for your replies. I think I can take care of the transfer now. Danke! -- Cameron Moore [ Whatever happened to preparations A through G? ]
