[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] MSN\Qwest ships DSL modem with "unconfigurable" firewall
- To: James Lay <jlay@xxxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] MSN\Qwest ships DSL modem with "unconfigurable" firewall
- From: "Volker Tanger" <volker.tanger@xxxxxxxxx>
- Date: Mon, 5 Apr 2004 10:04:54 +0200
Greetings!
On Fri, 2 Apr 2004 10:19:59 -0700 James Lay <jlay@xxxxxxxxxxxx> wrote:
> Real quick...just implemented a Cisco VPN concentrator here and lo and
> behold certain users couldn't get in. The concentrator is setup with
> the standard UDP port 500. All users BESIDES MSN\Qwest DSL users
> could get right on. After a few calls and some frustration, Qwest
> informed us that the firewall on the DSL router they ship is
> "unconfigurable"
That is because you'll need AH/ESP (== IP type 50/51) in addition to
IKE, if you want to implement IPSec VPN.
Most el-cheapo routers only support
ICMP (== IP type 1)
TCP (== IP type 6)
and UDP (== IP type 17)
Thus you'd need an encapsulation of ESP traffic like the soft-VPN
clients of Nortel and CheckPoint offer (probably just because of this
problem). Or you'd have to have a router that really supports
"IPSec-Forwarding" (i.e. blind forwarding of IP types 50+51 to a
specific IP to be configured in the router). Data sheets don't always
tell the truth here, so you really should verify before rollout...
Qapla'
Volker Tanger
ITK Security
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html