Re: VPN through DSL

[Yang Lee <ylee () net50 com>]

Your company may be  using Radius+securID for VPN
authentication. The normal way of laying out this is like:

VPN client (Nortel Extranet client) -> VPN Gateway (Nortel VPN Gateway) 
<-> Authentication Server (Radius/Tacacs) <-> Token Server (securID)

Basically, your office VPN is using central Radius or Tacacs for remote
authentication. The reason to use securID is because it's more secure than
normal password. You can say that it's a dynamic password authentication
device. Notice, some company's VPN solution skip Authentication Server
layer as descripted above. The pro and con is not within our discussion
range.

> From your messages, it's seem that your securID account is disable. By
default, after 10 consecutive failed login effort, securID server will
disable your account automatically (evasion-of-attack). In order to enable
it, you have to contact your securID server administrator. 

Since the whole process involved many links, you may try to identify where
it's broken. I'll try to make sure that somebody else can connect to the
same VPN gateway from other place using securID. From my experience, some
type of Nortel VPN gateway has bug implementing direct securID support.

Aslo, you may double check with your network connection by pinging the VPN
gateway. And you may also want to make sure VPN ports is not blocked if
there is any firewall/ACL between your VPN client and VPN gateway.

Hope this help. Good luck.

############################################
#Yang Lee                                  #
#Sr. Internet Security Engineer, Net2phone #
#Tel. 973-412-3556                         #
#Email. ylee () net2phone com                 #
#                                          #
#                                          #
#Disclaimer:                               #
#My opinion here does not represent my     #
#employer's in any way                     #
#                                          #
############################################

On Tue, 12 Mar 2002, Neverdowski wrote:

> I am desparate. I have been trying to connect to my office's VPN through my 
> DSL connection at home for months now. In order to connect to my VPN, my 
> office has provided an RSA SecurID token, which generates a random passcode 
> at periodic intervals. I installed the Nortel Extranet client required by 
> my office to connect and I run it after I have already established a DSL 
> connection to the internet (with Enternet 300). However, the Extranet 
> client always tells me that my login was unsuccessful, check my id and 
> password. I have done so, and each time, my office says that both are in 
> working order. I then contacted my ISP, who supplied the Enternet 300 
> software with which I establish my connection to the internet. They are 
> clueless (Southwestern Bell - go figure).
>
> If I look at the details of my connection with in the Enternet 300 
> software, I see "SecurID disabled". No one can tell me why it says this, or 
> how to enable SecurID. The furthest I got with any of the techs who tried 
> to help, was to run Tracert, which showed that everything was peachy until 
> we hit the tenth address which states "Request timed out", even though the 
> 11th-14th still return replies (with the 14th being the address I want to 
> reach).
>
> Someone at one point suggested I get a router. Is that my only option? Why 
> would having a router on the external DSL modem on my home PC help?
>
> Any suggestions, help etc. would be greatly appreciated.
>
> Thanks,
>
> Stephanie
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards