Security Incidents mailing list archives
Re: isakmp before smtp?
From: Mike Fratto <mfratto () NWC SYR EDU>
Date: Mon, 11 Sep 2000 20:02:55 -0400
Depends on how you configure it. There are two ways to create a IPsec VPN with W2K and they are very different. You can use the "VPN Adapter" in Dial-Up Networking which is not the case we care about here. Or you can use IPsec between W2K machines themselves, which is the case. There are several ways to configure how connections are processed when IPsec is running in W2K. You can have it require all connections are run via IPsec. Some connections can run if the other side or requests or we request IPsec, or pass in the clear. Check out http://www.microsoft.com/windows2000/library/technologies/security/default.asp for more details In this case, when the MTA attempts to contact anyone, it will first try to exchange IKE (UDP port 500) and if that fails, it will just continue the connection in the clear. If the far end had responded with the next step in the IKE exchange, the two systems would try to authenticate. If they don't know each other, the connection would fail at that point. W2K offers three ways to authenticate with IKE, Kerberos, Certificate, and pre-shared secret. So unless your talking to another W2K box, your gonna be doing either certificate of pre-shared secret. mike At 06:04 PM 9/11/00 -0500, Frank Knobbe wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Uhm... this maybe a stupid questions, but how is this supposed to work? Don't you need to have keys exchanged or both systems configured with a shared secret? How can an IPSec session be set up to someone who is not somehow listed in the configuration of that mail server? Is there some kind of free-for-all IPSec? Regards, Frank > -----Original Message----- > From: Mike Fratto [mailto:mfratto () NWC SYR EDU] > Sent: Sunday, September 10, 2000 8:42 AM > To: INCIDENTS () SECURITYFOCUS COM > Subject: Re: isakmp before smtp? > > > The MTA is a Windows 2000 box that is configured to try to > use IPsec VPN > for communications if possible, but fall back to clear text > in IPsec fails. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBOb1k/URKym0LjhFcEQL0QACgy3QMFRPCaZMzPhpPH1M4CkjM+GwAoK2u J09Mkno4pzYxH161YaDR0BmB =0EJv -----END PGP SIGNATURE-----
___________________ Mike Fratto Senior Technology Editor Network Computing 001 Machinery Hall Syracuse University Syracuse, NY 13244 V-(315) 443-2231 F-(315) 443-2277 ___________________
Current thread:
- isakmp before smtp? Philipp Buehler (Sep 12)
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- Message not available
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- <Possible follow-ups>
- Re: isakmp before smtp? Frank Knobbe (Sep 12)
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- Re: isakmp before smtp? Valdis Kletnieks (Sep 12)
- Re: isakmp before smtp? Steffen Dettmer (Sep 14)
- Re: isakmp before smtp? Valdis Kletnieks (Sep 14)
- Re: isakmp before smtp? Crist Clark (Sep 14)