[c-nsp] Dynamic remotes connecting to VPN 3005. Is it possible?
Brian Feeny
signal at shreve.net
Mon Sep 27 08:23:20 EDT 2004
Michael,
Thanks for the reply. I will try to create 20 groups with different
PSK's. The remotes
are using SonicWall VPN Devices, and although a migration to Certs
would be good,
right now the task at hand is to just migrate the users to the Cisco
3000 (off of a Sonicwall
concentrator), and so I am just trying to get that out of the way first.
Brian
On Sep 27, 2004, at 1:52 AM, Michael Markstaller wrote:
> In general it's easy possible, but depends on what remotes you have
> (VPN3002,IOS,PIX,other?)
>
> The first thing to consider is using certificates, otherwise, depending
> on your devices you run into the problems with PSK you mentioned..
> Preshared keys are insecure and a bad idea in general, not only
> regarding the "dynamic IP" issue.
> There was an advisory not so long ago regarding the Groupname/Password
> issue caused by weakness of PSK. This only acknowledged what anybody
> expected before: VPN3000-stuff with PSK is as vulnerable as PSK is.
> Cisco now introduced some Mutual-IKE stuff which is again only a
> workaround - using certs is the solution.
> But in general on the VPN 3000 it should be possible to seperate peers
> even with PSK (Groupname/Password) worst case creating 20 Groups,
> although I've never tried - but regarding security it leads to the same
> problems.
>
> Michael
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Feeny
>> Sent: Monday, September 27, 2004 2:31 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] Dynamic remotes connecting to VPN 3005. Is
>> it possible?
>>
>>
>>
>> Does anyone know if its possible to have remote sites, who
>> are assigned
>> dynamic IP addresses,
>> connect to the VPN 3005 (The VPN 3005 would have a static IP address)?
>> I know you can put
>> all your remotes, in this case 20, into one Base Group and that would
>> work, but then they share
>> the same IKE password, and so this is not good, because if one
>> site/client quits, you must change
>> the password at 19 other sties. I want to be able to configure each
>> client as its own group/profile
>> with its own unique password/key. Lumping all remotes that
>> use dynamic
>> addressing/dhcp into
>> one "Base Group" is not an option for me. Other vendors, like sonic
>> wall, can do this very easily
>> and so I am sure its probably supported on the cisco vpn concentrator,
>> since many remote sites
>> that need VPN are behind dynamic ip assignment.
>>
>> Brian
>>
>> ---------------------------------------------
>> Brian Feeny, CCIE #8036, CISSP
>> Network Engineer
>> ShreveNet Inc.
>>
>>
>> --- auto-converted to plaintext by ELAB4
>>
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20040927/ae542d7f/PGP-0001.bin
More information about the cisco-nsp
mailing list