[c-nsp] Dynamic remotes connecting to VPN 3005. Is it possible?

Brian Feeny signal at shreve.net
Mon Sep 27 18:40:06 EDT 2004


Is groupname a standardized parameter?  I mean I am familiar with PSK,  
but not sure
if various vendors send "groupname" in establishing IKE/IPSec SA's.  I  
know cisco's
VPN client will send groupname, but I am working with mostly hardware  
devices (sonicwall
vpn devices), and not sure if the "name" is sent in a format that  
interoperates with cisco,
allthough I am going to try it.

Brian

On Sep 27, 2004, at 1:52 AM, Michael Markstaller wrote:

> In general it's easy possible, but depends on what remotes you have
> (VPN3002,IOS,PIX,other?)
>
> The first thing to consider is using certificates, otherwise, depending
> on your devices you run into the problems with PSK you mentioned..
> Preshared keys are insecure and a bad idea in general, not only
> regarding the "dynamic IP" issue.
> There was an advisory not so long ago regarding the Groupname/Password
> issue caused by weakness of PSK. This only acknowledged what anybody
> expected before: VPN3000-stuff with PSK is as vulnerable as PSK is.
> Cisco now introduced some Mutual-IKE stuff which is again only a
> workaround - using certs is the solution.
> But in general on the VPN 3000 it should be possible to seperate peers
> even with PSK (Groupname/Password) worst case creating 20 Groups,
> although I've never tried - but regarding security it leads to the same
> problems.
>
> Michael
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Feeny
>> Sent: Monday, September 27, 2004 2:31 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] Dynamic remotes connecting to VPN 3005. Is
>> it possible?
>>
>>
>>
>> Does anyone know if its possible to have remote sites, who
>> are assigned
>> dynamic IP addresses,
>> connect to the VPN 3005 (The VPN 3005 would have a static IP address)?
>> I know you can put
>> all your remotes, in this case 20, into one Base Group and that would
>> work, but then they share
>> the same IKE password, and so this is not good, because if one
>> site/client quits, you must change
>> the password at 19 other sties.  I want to be able to configure each
>> client as its own group/profile
>> with its own unique password/key.  Lumping all remotes that
>> use dynamic
>> addressing/dhcp into
>> one "Base Group" is not an option for me.  Other vendors, like sonic
>> wall, can do this very easily
>> and so I am sure its probably supported on the cisco vpn concentrator,
>> since many remote sites
>> that need VPN are behind dynamic ip assignment.
>>
>> Brian
>>
>> ---------------------------------------------
>> Brian Feeny, CCIE #8036, CISSP
>> Network Engineer
>> ShreveNet Inc.
>>
>>
>> --- auto-converted to plaintext by ELAB4
>>
>>
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
------------------------------------------------------------------------ 
------
Brian Feeny, CCIE #8036, CISSP    	e: signal at shreve.net
Network Engineer           			p: 318.213.4709
ShreveNet Inc.             			f: 318.221.6612

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20040927/1bf226eb/PGP.bin


More information about the cisco-nsp mailing list