[c-nsp] Dynamic remotes connecting to VPN 3005. Is it possible?

Michael Markstaller mm at elabnet.de
Tue Sep 28 02:52:02 EDT 2004


maybe standardized but not commonly found in other devices. 
I know no box besides Cisco EzVPN using this Groupname/Password.
You'll always have a more or less big problem with PSK and I am quite
sure that most dynamic-IP/PSK workaround by vendors are vulnerable
unless they use some public/private key crypto - or certificates.
another option to make things at least a bit secure would be a common
PSK with XAuth and strong authentication requiring the clients to enter
i.e. SecurID tokencode but this usually makes things more complex..
I connot shout out this loud enough: don't use PSK ! IPSec with AES-256
is as vulnerable as PPTP is..

Michael

> -----Original Message-----
> From: Brian Feeny [mailto:signal at shreve.net] 
> Sent: Tuesday, September 28, 2004 12:40 AM
> To: Michael Markstaller
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Dynamic remotes connecting to VPN 3005. 
> Is it possible?
> 
> 
> 
> Is groupname a standardized parameter?  I mean I am familiar with PSK,
> but not sure
> if various vendors send "groupname" in establishing IKE/IPSec SA's.  I
> know cisco's
> VPN client will send groupname, but I am working with mostly hardware
> devices (sonicwall
> vpn devices), and not sure if the "name" is sent in a format that
> interoperates with cisco,
> allthough I am going to try it.
> 
> Brian
> 
> On Sep 27, 2004, at 1:52 AM, Michael Markstaller wrote:
> 
> > In general it's easy possible, but depends on what remotes you have
> > (VPN3002,IOS,PIX,other?)
> >
> > The first thing to consider is using certificates, 
> otherwise, depending
> > on your devices you run into the problems with PSK you mentioned..
> > Preshared keys are insecure and a bad idea in general, not only
> > regarding the "dynamic IP" issue.
> > There was an advisory not so long ago regarding the 
> Groupname/Password
> > issue caused by weakness of PSK. This only acknowledged what anybody
> > expected before: VPN3000-stuff with PSK is as vulnerable as PSK is.
> > Cisco now introduced some Mutual-IKE stuff which is again only a
> > workaround - using certs is the solution.
> > But in general on the VPN 3000 it should be possible to 
> seperate peers
> > even with PSK (Groupname/Password) worst case creating 20 Groups,
> > although I've never tried - but regarding security it leads 
> to the same
> > problems.
> >
> > Michael
> >
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net
> >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Feeny
> >> Sent: Monday, September 27, 2004 2:31 AM
> >> To: cisco-nsp at puck.nether.net
> >> Subject: [c-nsp] Dynamic remotes connecting to VPN 3005. Is
> >> it possible?
> >>
> >>
> >>
> >> Does anyone know if its possible to have remote sites, who
> >> are assigned
> >> dynamic IP addresses,
> >> connect to the VPN 3005 (The VPN 3005 would have a static 
> IP address)?
> >> I know you can put
> >> all your remotes, in this case 20, into one Base Group and 
> that would
> >> work, but then they share
> >> the same IKE password, and so this is not good, because if one
> >> site/client quits, you must change
> >> the password at 19 other sties.  I want to be able to 
> configure each
> >> client as its own group/profile
> >> with its own unique password/key.  Lumping all remotes that
> >> use dynamic
> >> addressing/dhcp into
> >> one "Base Group" is not an option for me.  Other vendors, 
> like sonic
> >> wall, can do this very easily
> >> and so I am sure its probably supported on the cisco vpn 
> concentrator,
> >> since many remote sites
> >> that need VPN are behind dynamic ip assignment.
> >>
> >> Brian
> >>
> >> ---------------------------------------------
> >> Brian Feeny, CCIE #8036, CISSP
> >> Network Engineer
> >> ShreveNet Inc.
> >>
> >>
> >> --- auto-converted to plaintext by ELAB4
> >>
> >>
> >>
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> --------------------------------------------------------------
> ---------- 
> ------
> Brian Feeny, CCIE #8036, CISSP    	e: signal at shreve.net
> Network Engineer           			p: 318.213.4709
> ShreveNet Inc.             			f: 318.221.6612
> 
> 
> 
> --- auto-converted to plaintext by ELAB4
> 
> 
> 



More information about the cisco-nsp mailing list