RE: [MLUG] vpnc (kvpnc)

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "MLUG Members" <EMAIL:PROTECTED>
Subject: RE: [MLUG] vpnc (kvpnc)
From: "McNutt, Justin M." <EMAIL:PROTECTED>
Date: Mon, 1 Aug 2005 11:12:28 -0500
Delivery-date: Mon, 01 Aug 2005 11:12:37 -0500
Envelope-to: EMAIL:PROTECTED
Reply-to: MLUG Members <EMAIL:PROTECTED>
Sender: EMAIL:PROTECTED
Thread-index: AcWWspVlzBt3HH4bQNyaeTppo7sqrwAACzbQ
Thread-topic: [MLUG] vpnc (kvpnc)

> You sent it from what SMTP server? If you do as I do and use 
> smtp.mizzou.edu with TLS encryption and a login, you can use that SMTP 
> no matter who your ISP is. It is a local resource on the MU network and 
> should work when you're doing a VPN. If you use another SMTP server, 
> such as mail.mchsi.com, it should not send. A VPN should block the 
> Internet from the connection so you don't introduce the Internet into 
> the local network through the VPN gateway. My information might be 
> outdated, but this is at least the way it *used* to be.

This is implementation-specific, so it depends whose VPN you use.  The rest of this e-mail applies to UMC campus ONLY.

When you connect to a VPN, it's just like connecting to a dial-up server.  The difference is that with dial-up, you start with NO connection, and then you're attached to the dial-up subnet (wherever that is).  Once attached, you're subject to whatever filters and firewalls apply to the dial-up network.

Same with VPNs.  Once you attach to a VPN concentrator, you're on the VPN's network, and subject to whatever filters and firewalls protect THAT network.  Whatever applies to your local physical network is now irrelevant... ASSUMING that the VPN connection is actually established.

So, first things first.  Is your connection established?  Two cases:

1)  You are using NAT.  You connect to the VPN concentrator on UDP port 500 (IKE) to authenticate.  Once you have authenticated, you connect to the VPN concentrator over UDP port 4500 (this is the encrypted tunnel).  This is called NAT-T, and though it is arguably *slightly* less secure, it works very well.

2)  You are NOT using NAT.  You connect to the VPN concentrator on UDP port 500 (IKE) to authenticate.  Once you have authenticated, the VPN concentrator connects BACK to YOU using ESP (Encapsulated Security Payload), which is IP protocol 50.  Note that this is NOT TCP OR UDP.  ESP is a separate layer 4 protocol all it's own.  TCP is IP protocol 11, UDP is IP protocol 6, ICMP is IP protocol 1, and ESP is IP protocol 50.  Hence, there are no "port numbers" for ICMP or ESP.

This is where it gets tricky.  If you aren't using NAT and your local firewall/filtering devices/whatever don't allow the ESP traffic back from the VPN concentrator, you authenticate just fine and *appear* to be connected, but the tunnel doesn't work.

In any case, launch Ethereal and capture for host vpn1.missouri.edu to see what's going on.

--J

P.S.  We could talk about more exceptions to the above scenario like split tunneling, but that gets afield of the original problem.  We can start a thread on that if someone likes.

_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members

Prev by Date: Re: [MLUG] vpnc (kvpnc)
Next by Date: Re: [MLUG] FYI: Tigernet WEP key changes on Monday...
Previous by thread: Re: [MLUG] vpnc (kvpnc)
Next by thread: [MLUG] Using the Cisco VPN client on Linux
Index(es):
- Date
- Thread