FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP

John Hovell john.hovell at home.com
Sat Sep 9 21:20:00 CDT 2000


Patrick --

Patrick Reid wrote:

> This could also be very useful for people who have machines which are behind
> an NAT wall which they don't control (like my own high-speed link).

Yeah, I thought so!  Or countries that don't allow proto 50 etc...

> However, if I already have a PPTP link up and can then run IPSec over it,
> this means I could have IPSec encryption, which is generally felt to be
> superior to MSChap v2 (even with the patched is place).

What do you mean, patch?  You don't mean patching pppd for Linux, do you?  I
mean without that in place, there is *zero* encryption.  And AFAIK, the "128 bit
enc." is really insecure b/c of protocol design.

Please let me know if you are talking about something else...

Cheers,
John

>
> Thanks for this info!.
>
> Patrick Reid - mailto:PReid at candesco.com
> Candesco Research Corp.
> Communication Centre: <http://www.mirabilis.com/1052176>
>
> -----Original Message-----
> From: pptp-server-admin at lists.schulte.org
> [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Hovell
> Sent: September 6, 2000 12:55 AM
> To: Justin Kreger; pptp-server at lists.schulte.org
> Subject: FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP
>
> Hello all --
>
> I solved the problem... IPSec over PPP is possible.  This is just wacky, but
> this
> is what to do:
>
> PGPnet only wants to bind to your "Dial Up Adapter" -- not #2 for VPN
> support as
> one might logically think.  Bind it to "Dial Up" and it works like a charm.
>
> This might actually be useful to people who aren't allowed to transmit
> protocols 50
> or 51... since they can tunnel it all over tcp/1723 and still get IPSec data
> encryption.
>
> Cheers,
> John
>
> John Hovell wrote:
>
> > Justin --
> >
> > This is because PGPnet sucks so much, that for no discernable reason when
> I try
> > to bind PGPnet to my Ethernet card on one of the machines, I can't get any
> > network connectivity.  I have reinstalled the ether card 3 times... and
> even
> > installed the driver files manually by hand.  The card is a 3com PCMCIA
> 3c574
> > Cardbus card.  It works beatifully without PGPnet... The reason I am doing
> the
> > bass-ackwards configuration is because PGPnet will at least bind to the
> VPN
> > dial-up adapter... but that may be just my problem.
> >
> > Any other ideas?  Thanks for your help...
> >
> > Cheers,
> > John
> >
> > Justin Kreger wrote:
> >
> > > Why not setup two linux boxes to do the IPSec?  and just have the
> windows
> > > boxes use pptp so they can browse the remote network if you dint setup
> your
> > > ipsec wan so it passes the Browser List.
> > > -LW
> > >
> > > -----Original Message-----
> > > From: John Hovell [mailto:john.hovell at home.com]
> > > Sent: Monday, September 04, 2000 1:58 AM
> > > To: pptp-server at lists.schulte.org
> > > Subject: [pptp-server] IPSec *over* PPtP
> > >
> > > Hello all --
> > >
> > > I have some Win98 boxes that want to do IPSec over their PPTP
> > > connection... just transport mode from one computer to another.  The
> > > IPSec SA is currently successful (both phase 1 and 2).. everything seems
> > > to be set up fine, until I atually try to send data.  If I try to ping
> > > the remote VPN client from the IPSec machine on the local lan I get
> > > (from tcpdump):
> > >
> > > 01:47:56.877612 < 172.16.0.4 > 172.16.0.175: ip-proto-50 76
> > > 01:47:56.972086 > 172.16.0.175 > 172.16.0.4: icmp: 172.16.0.175 protocol
> > > 50 unreachable
> > >
> > > If I do the same thing from the remote host I get:
> > >
> > > 01:53:07.586184 < 172.16.0.175 > 172.16.0.4: icmp: echo request
> > >
> > > (note the lack of encryption despite the *established* SA...)
> > >
> > > Do I need to somehow enable protocol 50 (and 51)?? IPchains forward is
> > > set up to accept all traffic between these hosts.  There is no
> > > masquerading between the two machines.
> > >
> > > Does anyone know what I am missing?  FYI, I am using PGPnet 6.5.8
> > > Personal Privacy (freeware) on both Windows IPSec machines.
> > >
> > > TiA for any advice or help...
> > >
> > > Cheers,
> > > John
> > >
> > > _______________________________________________
> > > pptp-server maillist  -  pptp-server at lists.schulte.org
> > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > List services provided by www.schulteconsulting.com!
> >
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
>
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
>
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!




More information about the pptp-server mailing list