Here is some commentary on the Free s/wan compatability issue by Richard Guy Briggs (who wrote the Free S/Wan kernel). ---------------------- Forwarded by Bill Royds/HullOttawa/PCH/CA on 06/10/99 11:20 AM --------------------------- Richard Guy Briggs <rgbat_private> on 06/10/99 11:04:12 AM To: Bill Royds/HullOttawa/PCH/CA@PCH cc: rgbat_private Subject: Re: free s/wan Thanks for the chance to comment, please forward them where appropriate. Comments in-line. I will let you reformat for your audience. On Wed, Oct 06, 1999 at 10:12:53AM -0400, Bill_Roydsat_private wrote: > Richard, there has been a discussion of Free S/WAn interoperability > on the firewalls-wizards listserver. You may want to comment. If so, > you can forward it to me and I will send it in your name. > ---------------------- Forwarded by Bill Royds/HullOttawa/PCH/CA on 06/10/99 > 10:10 AM --------------------------- > > > "R. DuFresne" <dufresneat_private> on 04/10/99 10:07:27 PM > > Please respond to "R. DuFresne" <dufresneat_private> > > To: Siglite <sigliteat_private> > cc: firewall-wizardsat_private (bcc: Bill Royds/HullOttawa/PCH/CA) > Subject: Re: free s/wan > > > > On Sat, 2 Oct 1999, Siglite wrote: > > > > > Has anyone out there done a real serious penetration test on free s/wan? > > > > Free s/wan listens on a few services, and I was wondering if anyone's > > attempted to break these. Also, could anyone give me a quick sanity check > > for my proposed implementation of it..... > > > > s/wan is running extra services, or is your OS running these extra > services, which you forgot to document? This sounds suspiciously like other stuff running. The only port we open is UDP/500, which is IKE, for negotiating new keys automatically. It is not necessary to encrypt that traffic as it has it's own encryption scheme. We don't open any other ports. It is standard IPSEC. > ````` > > For the rest of the list; > > Are there any VPN products that do not require the same setup on both ends > to impliment? (i.e. VPN products that are cross-compatible with other > products out there) > > Thanks, > > > > Ron DuFresne > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > admin & senior consultant: darkstar.sysinfo.com > http://darkstar.sysinfo.com > > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." > -- Johnny Hart > > testing, only testing, and damn good at it too! > > > ---------------------- Forwarded by Bill Royds/HullOttawa/PCH/CA on 06/10/99 > 10:10 AM --------------------------- > > > Siglite <sigliteat_private> on 04/10/99 11:08:30 PM > > Please respond to Siglite <sigliteat_private> > > To: "R. DuFresne" <dufresneat_private> > cc: firewall-wizardsat_private (bcc: Bill Royds/HullOttawa/PCH/CA) > Subject: Re: free s/wan > > > > Free s/wan runs a service for key exchanging. I believe it's called > pluto. The operating system would only be running sshd and the free s/wan > services. Right, pluto uses IKE, UDP/500. We don't need ssh in order to operate, although it may help to configure the machines involved more easily than via sneakernet. > /*-----------------------------------*/ > /* I live with FEAR every day. */ > /* But, sometimes, she lets me RACE. */ > /*-----------------------------------*/ > > KT Morgan > Network Engineer > Checkpoint Firewall-1 CCSA/CCSE > Microsoft MCP > Software Systems Group, Inc > > > the compaq support website, crib notes version: > "you cant do that." > > On Mon, 4 Oct 1999, R. DuFresne wrote: > > > On Sat, 2 Oct 1999, Siglite wrote: > > > > > > > > Has anyone out there done a real serious penetration test on free s/wan? > > > > > > Free s/wan listens on a few services, and I was wondering if anyone's > > > attempted to break these. Also, could anyone give me a quick sanity check > > > for my proposed implementation of it..... > > > > > > > s/wan is running extra services, or is your OS running these extra > > services, which you forgot to document? > > > > > > > > ````` > > > > For the rest of the list; > > > > Are there any VPN products that do not require the same setup on both ends > > to impliment? (i.e. VPN products that are cross-compatible with other > > products out there) > > > > Thanks, > > > > > > > > Ron DuFresne > > -- > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > admin & senior consultant: darkstar.sysinfo.com > > http://darkstar.sysinfo.com > > > > "Cutting the space budget really restores my faith in humanity. It > > eliminates dreams, goals, and ideals and lets us get straight to the > > business of hate, debauchery, and self-annihilation." > > -- Johnny Hart > > > > testing, only testing, and damn good at it too! > > > > > ---------------------- Forwarded by Bill Royds/HullOttawa/PCH/CA on 06/10/99 > 10:10 AM --------------------------- > > > "R. DuFresne" <dufresneat_private> on 05/10/99 02:23:39 PM > > Please respond to "R. DuFresne" <dufresneat_private> > > To: Joseph S D Yao <jsdyat_private> > cc: sigliteat_private, firewall-wizardsat_private (bcc: Bill > Royds/HullOttawa/PCH/CA) > Subject: Re: free s/wan (really interoperability) > > > > On Tue, 5 Oct 1999, Joseph S D Yao wrote: > > > Ron DuFresne had asked: > > > Are there any VPN products that do not require the same setup on both ends > > > to impliment? (i.e. VPN products that are cross-compatible with other > > > products out there) > > > > There is IPsec VPN server software out there that is sold without a > > client - one is directed to several other companies that make IPsec > > clients. So it would seem that the answer, probably with some caveats, > > is, "yes." > > > > If you consider 'ssh' tunnels to be VPNs [you can do PPP through them], > > then there are also multiple implementations of 'ssh' and 'sshd'. > > > > > Okay, I can see the point here with sshd and the various ssh > implementations. But, I'm more looking at this from a slightly different > perspective. free s/wan as I understand it requires another free s/wan > box on the otherside of the connection. I'm trusting the same is the case > with cisco's VPN solution<s> and most likely with FW1's implementation, as > well as many of the other offerings. Are any as flexible or nearly as > flexible in interoperability as the ssh/sshd implementations mentioned > thus far? It does not require a FreeS/WAN box on the other end, it requires another IPSEC implementation. Other free ones that come to mind are KAME, OpenBSD, NIST. > > > Thanks, > > Ron DuFresne > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > admin & senior consultant: darkstar.sysinfo.com > http://darkstar.sysinfo.com > > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." > -- Johnny Hart > > testing, only testing, and damn good at it too! > > > ---------------------- Forwarded by Bill Royds/HullOttawa/PCH/CA on 06/10/99 > 10:10 AM --------------------------- > > > Joseph S D Yao <jsdyat_private> on 05/10/99 01:38:07 PM > > Please respond to Joseph S D Yao <jsdyat_private> > > To: dufresneat_private > cc: sigliteat_private, firewall-wizardsat_private (bcc: Bill > Royds/HullOttawa/PCH/CA) > Subject: Re: free s/wan (really interoperability) > > > > Ron DuFresne had asked: > > Are there any VPN products that do not require the same setup on both ends > > to impliment? (i.e. VPN products that are cross-compatible with other > > products out there) > > There is IPsec VPN server software out there that is sold without a > client - one is directed to several other companies that make IPsec > clients. So it would seem that the answer, probably with some caveats, > is, "yes." > > If you consider 'ssh' tunnels to be VPNs [you can do PPP through them], > then there are also multiple implementations of 'ssh' and 'sshd'. > > -- > Joe Yao jsdyat_private - Joseph S. D. Yao > COSPO/OSIS Computer Support EMT-B > ----------------------------------------------------------------------- > This message is not an official statement of COSPO policies. > > > ---------------------- Forwarded by Bill Royds/HullOttawa/PCH/CA on 06/10/99 > 10:10 AM --------------------------- > > > Joseph S D Yao <jsdyat_private> on 05/10/99 03:17:29 PM > > Please respond to Joseph S D Yao <jsdyat_private> > > To: dufresneat_private (R. DuFresne) > cc: firewall-wizardsat_private (bcc: Bill Royds/HullOttawa/PCH/CA) > Subject: Re: free s/wan (really interoperability) > > > > > On Tue, 5 Oct 1999, Joseph S D Yao wrote: > > > There is IPsec VPN server software out there that is sold without a > > > client - one is directed to several other companies that make IPsec > > > clients. So it would seem that the answer, probably with some caveats, > > > is, "yes." > ... > > Which, if I read you correctly, was an unquailified 'yes'. So, I'm > > looking for the qualifications, e.g. those implimentations <a listing> > > that will interwork with other implimentations, i.e. cisco's VPN will work > > with FW1's VPN solution etc... > > Qualified "yes". Unfortunately, I haven't been able to beat on any > yet. We're waiting for ones that are interoperable AND have certain > other characteristics. > > The one I was specifically told about was ANS Interlock 5.0 [now UUnet > Interlock], interoperable with Red Creek, Time Step, IRE, and others. > > GTE Networking (formerly BBN) has a VPN product which is actually the > product of whoever else they feel to be ahead at the time ... they seem > to not feel at all uncomfortable about dropping in whichever product is > plug-compatible with the rest of their system. > > This has been discussed in the VPN mailing list quite a few times, and > I would have thought that it was a FAQ already, but it's not. [Tina?] > There are pointers to www.isoc.org, which is pretty general, and also > the following: > > > there have been over two years of IPSec interoperability tests, which > > TimeStep and Cisco and a handful of firewall vendors have attended. So we > > have been successfully interoperabiting in a lab environment since Jan 97. > > But last year since ICSA certified IPSec products, we have had real > > real-world testing certification. Being ICSA IPSec certified means that > > these products should work out in the field. A list of vendors who have > > achieved this certification can be found at > > http://www.icsa.net/services/product_cert/ipsec/certified_products.shtml. > > > > Roy Pereira > > Product Management > > TimeStep Corporation > > (613) 599-3610 x4808 > > http://www.timestep.com > > Roy is pretty confident in interoperability. Others feel it's close, > and good enough for some but not for others. > > Hope this helps. > > -- > Joe Yao jsdyat_private - Joseph S. D. Yao > COSPO/OSIS Computer Support EMT-B > ----------------------------------------------------------------------- > This message is not an official statement of COSPO policies. > slainte mhath, RGB -- Richard Guy Briggs -- PGP key available Auto-Free Ottawa! Canada <http://www.conscoop.ottawa.on.ca/rgb/> </www.flora.org/afo/> Prevent Internet Wiretapping! -- FreeS/WAN:<www.xs4all.nl/~freeswan> Thanks for voting Green! -- <green.ca> Marillion:<www.marillion.co.uk>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:26 PDT