Full Disclosure mailing list archives
Re: MSN\Qwest ships DSL modem with "unconfigurable" firewall
From: "Volker Tanger" <volker.tanger () detewe de>
Date: Mon, 5 Apr 2004 10:04:54 +0200
Greetings! On Fri, 2 Apr 2004 10:19:59 -0700 James Lay <jlay () ameriben com> wrote:
Real quick...just implemented a Cisco VPN concentrator here and lo and behold certain users couldn't get in. The concentrator is setup with the standard UDP port 500. All users BESIDES MSN\Qwest DSL users could get right on. After a few calls and some frustration, Qwest informed us that the firewall on the DSL router they ship is "unconfigurable"
That is because you'll need AH/ESP (== IP type 50/51) in addition to IKE, if you want to implement IPSec VPN. Most el-cheapo routers only support ICMP (== IP type 1) TCP (== IP type 6) and UDP (== IP type 17) Thus you'd need an encapsulation of ESP traffic like the soft-VPN clients of Nortel and CheckPoint offer (probably just because of this problem). Or you'd have to have a router that really supports "IPSec-Forwarding" (i.e. blind forwarding of IP types 50+51 to a specific IP to be configured in the router). Data sheets don't always tell the truth here, so you really should verify before rollout... Qapla' Volker Tanger ITK Security _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MSN\Qwest ships DSL modem with "unconfigurable" firewall James Lay (Apr 02)
- Re: MSN\Qwest ships DSL modem with "unconfigurable" firewall Volker Tanger (Apr 05)
- Re: MSN\Qwest ships DSL modem with "unconfigurable" firewall David Gianndrea (Apr 05)
- Re: MSN\Qwest ships DSL modem with "unconfigurable" firewall Volker Tanger (Apr 05)
- Re: MSN\Qwest ships DSL modem with "unconfigurable" firewall David Gianndrea (Apr 05)
- Re: MSN\Qwest ships DSL modem with "unconfigurable" firewall Volker Tanger (Apr 05)