Hi,
On Monday 14 January 2002 19:55, Rene de Vries wrote:
> Kshitij,
> A good solution, from my point of view, would be, instead of passing
> evering thing from an ipsec tunnel, using ip-filter (&co, but without
> dummyet) on emerging packets. These packets should then have a different
> inter
On Mon, Jan 14, 2002 at 06:44:07PM +0530, Kshitij Gunjikar wrote:
> Hi All,
> I have one question? If we have a FreeBSD box configured as a router and
> we are not supporting a DHCP like protocol then do we drop packets with
> 0.0.0.0 source address? As per RFC 1812 we must.
You need to run a B
Jason DiCioccio writes:
> I'm trying to replace our current NT (PPTP) vpn with a FreeBSD VPN
> with minimal impact. Is there any way to run a PPTP server using mpd and
> have it authenticate against an NT domains (perhaps with PAM?). Or are
> there any other packages I can use that will do
I'm trying to replace our current NT (PPTP) vpn with a FreeBSD VPN
with minimal impact. Is there any way to run a PPTP server using mpd and
have it authenticate against an NT domains (perhaps with PAM?). Or are
there any other packages I can use that will do this?
I am also open
On Mon, 14 Jan 2002, Terry Lambert wrote:
> This is getting way off topic, but here is a business case
> illustration.
>
> Are you perhaps doing what the Q/A people at a previous job were
> doing, and stress-testing the crap out of a machine on a Gigabit
> LAN, at or near wire speeds, when in th
[ ... Moved to -net ... ]
"James E. Housley" wrote:
> I am just trying to count bytes in and out, too keep track of usage and
> head off a large overage and a larger bill then necessary. Counting
> packets is worthless. But just do the math. With a GigE NIC, at what
> data rate do you start ov
Gif tunnels are not the samething as ipsec tunnels. For one some ipsec
implementations simply won't work with gif tunnels. Furthermore the
administrative overhead when there are more than a few tunnels is
enormous. It is much simpler to have racoon do some (a lot) of the work
for you. Say, fo
Kshitij,
As some other people already mentioned: It might be the case that both
ends of the tunnel are not within the same administrative domain. The
connection is secure, this does not mean that the traffic is also so.
A good solution, from my point of view, would be, instead of passing
ever
> He was referring to using gif tunnels together with IPsec tunnel mode
> SAs (are you?) This "works" but precisely because of the side effect
> that Louis mentioned. A clean solution would user *either* IPIP tunnels
> (i.e. gif devices) and IPsec transport mode *or* IPsec tunnel mode (and
> no gi
Blaz Zupan wrote:
>>And before you suggest that the gif tunnels seen in all those IPSEC
>>examples actually have anything to do with IPSEC tunnels, please try
>>it and look again. It's completely uninvolved other than introducing
>>a route as a side-effect.
>>
>
> I'm not sure what you mean her
> And before you suggest that the gif tunnels seen in all those IPSEC
> examples actually have anything to do with IPSEC tunnels, please try
> it and look again. It's completely uninvolved other than introducing
> a route as a side-effect.
I'm not sure what you mean here, but shouldn't the follo
Hi all
Ok, at this time I would handle this problem like this:
Connect the two sides with an IPSec Tunnel and write an access-list with
ipfw that allow only the specified traffic from the other side network to
your network. This would be the fastest way to handle this problem. For
this, you have
oops - sounds liek MPPE encryption is a subprotocol of the compression
protocol... hence the confusion!
t
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Tariq Rashid
Sent: 14 January 2002 13:54
To: [EMAIL PROTECTED]
Subject: mpd-netgraph PPTP and MS en
The problem, of course, is that tunnel-mode IPSEC is too coarse a
mechanism to implement security policy for some people. Imagine if
you will that you're using IPSEC in an "extranet" situation; that is,
to secure communication between two different parties. Perhaps between
you and your supplier
Hi,
I'm not worried about people modifying the IPSec packets en route, that's
what we have strong crypto for.
I am worried about giving the network at the other end of the tunnel full
access to mine. In only a few of the many possible IPSec implementations do
both ends of the tunnel follow the s
an anyone point me to some sample mpd-netgraph (3.3) configurations for
Microsoft PPTP clients...
using encyption... for all win98 up to win2k?
i'm using (with pptp0 up to pptp4, say)...
pptp0:
new -i ng0 pptp0 pptp0
set iface disable on-demand
Hi,
If you have a IPSec packet you can't see the data(even if u can it's
useless as it's encrypted). unless you exchange keys and know what the
encryption algorithm we can't decrypt and know the information being passed.
Hence, the fact that we are using IPsec gives greater security than any
fir
Hi,
I don't think this is quite correct.
The fact that I have a tunnel means I have some relation with the other
network, and that I do not trust the network(s) between us.
It does NOT mean that I trust their security setup and want to receive any
packet that they send me.
So I would certainly
Hi All,
I have one question? If we have a FreeBSD box configured as a router and
we are not supporting a DHCP like protocol then do we drop packets with
0.0.0.0 source address? As per RFC 1812 we must.
Regards
Kshitij
_
Do You Yahoo!?
Ge
Hello
IPSec Tunnel security is working like this: You have to permit traffic to
the Tunnel, this you can du with Access-Lists on a Firewall (ie ipfw)
In the Tunnel, only permitted traffic will be transmitted, so you don't have
to filter packets comming from the IPSec Tunnel. It's not interesting
Hi Rene,
I'm wondering why do you want to filter Secure traffic?
The very fact that you have a tunnel to a place means you trust that
network. Hence, why filter?
What are the complex situations you have in mind?
Regards
Kshitij
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EM
On Mon, Jan 14, 2002 at 09:40:23AM +0100, Andreas Klemm wrote:
> On Sun, Jan 13, 2002 at 11:25:41PM -0800, Crist J . Clark wrote:
> > On Sun, Jan 13, 2002 at 11:56:36AM +0100, Andreas Klemm wrote:
> > > I found a document describing a firewall design only using natd
> > > for redirects to internal
On Sun, Jan 13, 2002 at 11:25:41PM -0800, Crist J . Clark wrote:
> On Sun, Jan 13, 2002 at 11:56:36AM +0100, Andreas Klemm wrote:
> > I found a document describing a firewall design only using natd
> > for redirects to internal network resources. (Hi Marshall, therefore
> > Cc: to you, since its y
23 matches
Mail list logo
