Firewall Wizards mailing list archives

Re: free s/wan

From: Bill_Royds () pch gc ca
Date: Wed, 6 Oct 1999 11:23:26 -0400

Here is some commentary on the Free s/wan compatability issue by Richard Guy
Briggs (who wrote the Free S/Wan kernel).
---------------------- Forwarded by Bill Royds/HullOttawa/PCH/CA on 06/10/99
11:20 AM ---------------------------


Richard Guy Briggs <rgb () conscoop ottawa on ca> on 06/10/99 11:04:12 AM

To:   Bill Royds/HullOttawa/PCH/CA@PCH
cc:   rgb () conscoop ottawa on ca
Subject:  Re: free s/wan



Thanks for the chance to comment, please forward them where
appropriate.  Comments in-line.  I will let you reformat for your
audience.

On Wed, Oct 06, 1999 at 10:12:53AM -0400, Bill_Royds () pch gc ca wrote:

Richard, there has been a discussion of Free S/WAn interoperability
on the firewalls-wizards listserver. You may want to comment. If so,
you can forward it to me and I will send it in your name.
---------------------- Forwarded by Bill Royds/HullOttawa/PCH/CA on 06/10/99
10:10 AM ---------------------------


"R. DuFresne" <dufresne () sysinfo com> on 04/10/99 10:07:27 PM

Please respond to "R. DuFresne" <dufresne () sysinfo com>

To:   Siglite <siglite () criticalstop com>
cc:   firewall-wizards () nfr net (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  Re: free s/wan



On Sat, 2 Oct 1999, Siglite wrote:


Has anyone out there done a real serious penetration test on free s/wan?

Free s/wan listens on a few services, and I was wondering if anyone's
attempted to break these.  Also, could anyone give me a quick sanity check
for my proposed implementation of it.....


s/wan is running extra services, or is your OS running these extra
services, which you forgot to document?


This sounds suspiciously like other stuff running.  The only port we
open is UDP/500, which is IKE, for negotiating new keys automatically.
It is not necessary to encrypt that traffic as it has it's own
encryption scheme.  We don't open any other ports.  It is standard
IPSEC.

`````

For the rest of the list;

Are there any VPN products that do not require the same setup on both ends
to impliment?  (i.e. VPN products that are cross-compatible with other
products out there)

Thanks,



Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


---------------------- Forwarded by Bill Royds/HullOttawa/PCH/CA on 06/10/99
10:10 AM ---------------------------


Siglite <siglite () criticalstop com> on 04/10/99 11:08:30 PM

Please respond to Siglite <siglite () criticalstop com>

To:   "R. DuFresne" <dufresne () sysinfo com>
cc:   firewall-wizards () nfr net (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  Re: free s/wan



Free s/wan runs a service for key exchanging.  I believe it's called
pluto. The operating system would only be running sshd and the free s/wan
services.


Right, pluto uses IKE, UDP/500.  We don't need ssh in order to
operate, although it may help to configure the machines involved more
easily than via sneakernet.

/*-----------------------------------*/
/* I live with FEAR every day.       */
/* But, sometimes, she lets me RACE. */
/*-----------------------------------*/

KT Morgan
Network Engineer
Checkpoint Firewall-1 CCSA/CCSE
Microsoft MCP
Software Systems Group, Inc


the compaq support website, crib notes version:
"you cant do that."

On Mon, 4 Oct 1999, R. DuFresne wrote:

On Sat, 2 Oct 1999, Siglite wrote:


Has anyone out there done a real serious penetration test on free s/wan?

Free s/wan listens on a few services, and I was wondering if anyone's
attempted to break these.  Also, could anyone give me a quick sanity check
for my proposed implementation of it.....


s/wan is running extra services, or is your OS running these extra
services, which you forgot to document?



`````

For the rest of the list;

Are there any VPN products that do not require the same setup on both ends
to impliment?  (i.e. VPN products that are cross-compatible with other
products out there)

Thanks,



Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


---------------------- Forwarded by Bill Royds/HullOttawa/PCH/CA on 06/10/99
10:10 AM ---------------------------


"R. DuFresne" <dufresne () sysinfo com> on 05/10/99 02:23:39 PM

Please respond to "R. DuFresne" <dufresne () sysinfo com>

To:   Joseph S D Yao <jsdy () cospo osis gov>
cc:   siglite () criticalstop com, firewall-wizards () nfr net (bcc: Bill
      Royds/HullOttawa/PCH/CA)
Subject:  Re: free s/wan (really interoperability)



On Tue, 5 Oct 1999, Joseph S D Yao wrote:

Ron DuFresne had asked:

Are there any VPN products that do not require the same setup on both ends
to impliment?  (i.e. VPN products that are cross-compatible with other
products out there)


There is IPsec VPN server software out there that is sold without a
client - one is directed to several other companies that make IPsec
clients.  So it would seem that the answer, probably with some caveats,
is, "yes."

If you consider 'ssh' tunnels to be VPNs [you can do PPP through them],
then there are also multiple implementations of 'ssh' and 'sshd'.



Okay, I can see the point here with sshd and the various ssh
implementations.  But, I'm more looking at this from a slightly different
perspective.  free s/wan as I understand it requires another free s/wan
box on the otherside of the connection.  I'm trusting the same is the case
with cisco's VPN solution<s> and most likely with FW1's implementation, as
well as many of the other offerings.  Are any as flexible or nearly as
flexible in interoperability as the ssh/sshd implementations mentioned
thus far?


It does not require a FreeS/WAN box on the other end, it requires
another IPSEC implementation.  Other free ones that come to mind are
KAME, OpenBSD, NIST.



Thanks,

Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


---------------------- Forwarded by Bill Royds/HullOttawa/PCH/CA on 06/10/99
10:10 AM ---------------------------


Joseph S D Yao <jsdy () cospo osis gov> on 05/10/99 01:38:07 PM

Please respond to Joseph S D Yao <jsdy () cospo osis gov>

To:   dufresne () sysinfo com
cc:   siglite () criticalstop com, firewall-wizards () nfr net (bcc: Bill
      Royds/HullOttawa/PCH/CA)
Subject:  Re: free s/wan (really interoperability)



Ron DuFresne had asked:

Are there any VPN products that do not require the same setup on both ends
to impliment?  (i.e. VPN products that are cross-compatible with other
products out there)


There is IPsec VPN server software out there that is sold without a
client - one is directed to several other companies that make IPsec
clients.  So it would seem that the answer, probably with some caveats,
is, "yes."

If you consider 'ssh' tunnels to be VPNs [you can do PPP through them],
then there are also multiple implementations of 'ssh' and 'sshd'.

--
Joe Yao                  jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                        EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.


---------------------- Forwarded by Bill Royds/HullOttawa/PCH/CA on 06/10/99
10:10 AM ---------------------------


Joseph S D Yao <jsdy () cospo osis gov> on 05/10/99 03:17:29 PM

Please respond to Joseph S D Yao <jsdy () cospo osis gov>

To:   dufresne () sysinfo com (R. DuFresne)
cc:   firewall-wizards () nfr net (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  Re: free s/wan (really interoperability)

On Tue, 5 Oct 1999, Joseph S D Yao wrote:

There is IPsec VPN server software out there that is sold without a
client - one is directed to several other companies that make IPsec
clients.  So it would seem that the answer, probably with some caveats,
is, "yes."

...

Which, if I read you correctly, was an unquailified 'yes'.  So, I'm
looking for the qualifications, e.g.  those implimentations <a listing>
that will interwork with other implimentations, i.e. cisco's VPN will work
with FW1's VPN solution etc...


Qualified "yes".  Unfortunately, I haven't been able to beat on any
yet.  We're waiting for ones that are interoperable AND have certain
other characteristics.

The one I was specifically told about was ANS Interlock 5.0 [now UUnet
Interlock], interoperable with Red Creek, Time Step, IRE, and others.

GTE Networking (formerly BBN) has a VPN product which is actually the
product of whoever else they feel to be ahead at the time ... they seem
to not feel at all uncomfortable about dropping in whichever product is
plug-compatible with the rest of their system.

This has been discussed in the VPN mailing list quite a few times, and
I would have thought that it was a FAQ already, but it's not.  [Tina?]
There are pointers to www.isoc.org, which is pretty general, and also
the following:

there have been over two years of IPSec interoperability tests, which
TimeStep and Cisco and a handful of firewall vendors have attended.  So we
have been successfully interoperabiting in a lab environment since Jan 97.
But last year since ICSA certified IPSec products, we have had real
real-world testing certification.  Being ICSA IPSec certified means that
these products should work out in the field.  A list of vendors who have
achieved this certification can be found at
http://www.icsa.net/services/product_cert/ipsec/certified_products.shtml.

Roy Pereira
Product Management
TimeStep Corporation
(613) 599-3610 x4808
http://www.timestep.com


Roy is pretty confident in interoperability.  Others feel it's close,
and good enough for some but not for others.

Hope this helps.

--
Joe Yao                  jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                        EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.




     slainte mhath, RGB
--
Richard Guy Briggs -- PGP key available                Auto-Free Ottawa! Canada
<http://www.conscoop.ottawa.on.ca/rgb/>                   </www.flora.org/afo/>
Prevent Internet Wiretapping!       --      FreeS/WAN:<www.xs4all.nl/~freeswan>
Thanks for voting Green! -- <green.ca>          Marillion:<www.marillion.co.uk>

Current thread:

free s/wan Siglite (Oct 04)
- Re: free s/wan R. DuFresne (Oct 05)
  - Re: free s/wan Siglite (Oct 05)
  - Re: free s/wan (really interoperability) Joseph S D Yao (Oct 05)
    - Re: free s/wan (really interoperability) R. DuFresne (Oct 05)
    - Message not available
    - Re: free s/wan (really interoperability) Tina Bird (Oct 06)
    - RE: free s/wan (really interoperability) Kurt Buff (Oct 12)
- <Possible follow-ups>
- Re: free s/wan Bill_Royds (Oct 06)