MSN dialup and IPSEC/VPN

MSN dialup and IPSEC/VPN

Post by Bill » Thu, 21 Mar 2002 01:26:34



Hi everyone.
I have a client who dials into MSN to connect to the
Internet; we want to set him up to use our VPN to gain
secure access to the corporate network.

From the PIX logs, we can see the IKE process starting....
UDP packets pass fine; however, when the process starts
using IPSEC, nothing gets through.

So, my question is: Does MSN block IPSEC traffic from
going through their network?

If not, is there a published document on how to set up a
VPN client (Cisco VPN5000 in this case) to work with MSN?

Thanks
Bill

 
 
 

MSN dialup and IPSEC/VPN

Post by Jim » Thu, 21 Mar 2002 02:05:49


You may find a way around your blockage(s).  If so, I think Cisco would be the one to provide the process.

That aside -  MSN is NOT intended for business use.  It is, by their own admission, intended for 'fun and entertainment' (paraphrased) use only.
-Jim-
With MSN, failure is not an option.
It comes bundled with the service.


  Hi everyone.
  I have a client who dials into MSN to connect to the
  Internet; we want to set him up to use our VPN to gain
  secure access to the corporate network.

  From the PIX logs, we can see the IKE process starting....
  UDP packets pass fine; however, when the process starts
  using IPSEC, nothing gets through.

  So, my question is: Does MSN block IPSEC traffic from
  going through their network?

  If not, is there a published document on how to set up a
  VPN client (Cisco VPN5000 in this case) to work with MSN?

  Thanks
  Bill

 
 
 

MSN dialup and IPSEC/VPN

Post by srtrenc » Thu, 21 Mar 2002 02:25:07


yep, i agree with that.

  You may find a way around your blockage(s).  If so, I think Cisco would be the one to provide the process.

  That aside -  MSN is NOT intended for business use.  It is, by their own admission, intended for 'fun and entertainment' (paraphrased) use only.
  -Jim-
  With MSN, failure is not an option.
  It comes bundled with the service.


    Hi everyone.
    I have a client who dials into MSN to connect to the
    Internet; we want to set him up to use our VPN to gain
    secure access to the corporate network.

    From the PIX logs, we can see the IKE process starting....
    UDP packets pass fine; however, when the process starts
    using IPSEC, nothing gets through.

    So, my question is: Does MSN block IPSEC traffic from
    going through their network?

    If not, is there a published document on how to set up a
    VPN client (Cisco VPN5000 in this case) to work with MSN?

    Thanks
    Bill

 
 
 

MSN dialup and IPSEC/VPN

Post by Bill » Thu, 21 Mar 2002 02:25:33


Thanks, Jim....
I had a sneaking suspicion that that was the case.

It started out this morning when I called MSN tech
support... the bozo on the other end said "VP What??? I
deal with email and phone number problems."

At that point, I knew that it was a hopeless cause

Bill

Quote:>-----Original Message-----
>You may find a way around your blockage(s).  If so, I

think Cisco would be the one to provide the process.
Quote:

>That aside -  MSN is NOT intended for business use.  It

is, by their own admission, intended for 'fun and
entertainment' (paraphrased) use only.
>-Jim-
>With MSN, failure is not an option.
>It comes bundled with the service.




Quote:>  Hi everyone.
>  I have a client who dials into MSN to connect to the
>  Internet; we want to set him up to use our VPN to gain
>  secure access to the corporate network.

>  From the PIX logs, we can see the IKE process
starting....
>  UDP packets pass fine; however, when the process starts
>  using IPSEC, nothing gets through.

>  So, my question is: Does MSN block IPSEC traffic from
>  going through their network?

>  If not, is there a published document on how to set up
a
>  VPN client (Cisco VPN5000 in this case) to work with
MSN?

>  Thanks
>  Bill

 
 
 

MSN dialup and IPSEC/VPN

Post by me » Thu, 21 Mar 2002 09:55:45


some broadband providers demand you pay for "business" service if you use a
VPN... since you're talking MS, it wouldn't surprise me if they've adopted
this stance.

http://www.infoworld.com/articles/op/xml/02/01/28/020128opfoster.xml


Quote:> Hi everyone.
> I have a client who dials into MSN to connect to the
> Internet; we want to set him up to use our VPN to gain
> secure access to the corporate network.

> From the PIX logs, we can see the IKE process starting....
> UDP packets pass fine; however, when the process starts
> using IPSEC, nothing gets through.

> So, my question is: Does MSN block IPSEC traffic from
> going through their network?

> If not, is there a published document on how to set up a
> VPN client (Cisco VPN5000 in this case) to work with MSN?

> Thanks
> Bill

 
 
 

MSN dialup and IPSEC/VPN

Post by David Efflan » Thu, 21 Mar 2002 23:11:17



> Hi everyone.
> I have a client who dials into MSN to connect to the
> Internet; we want to set him up to use our VPN to gain
> secure access to the corporate network.

> From the PIX logs, we can see the IKE process starting....
> UDP packets pass fine; however, when the process starts
> using IPSEC, nothing gets through.

> So, my question is: Does MSN block IPSEC traffic from
> going through their network?

> If not, is there a published document on how to set up a
> VPN client (Cisco VPN5000 in this case) to work with MSN?

It may be possible, because I just did it, sort of.  I can connect SSH
Sentinal on MSN PPP through PPPoE and FreeS/WAN in Linux to my home LAN.
From the MSN end, I can telnet to and get a ready response from the
smtp port on a private LAN IP.  Or I can ping it 3 times (4th ping drops).

But I must have misconfigured something in my firewall or the script that
punches the IPSEC hole through it, because after either of those, traffic
stops and my firewall logs start reporting martians.  But it does the same
thing with a core.com dialup that used to work fine, that is why it may
be a firewall misconfiguration.

packet from 199.182.172.242:500: ignoring Vendor ID payload
"dynshared" #5: responding to Main Mode from unknown peer 199.182.172.242
"dynshared" #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT
"dynshared" #5: Peer ID is ID_IPV4_ADDR: '199.182.172.242'
"dynshared" #5: STATE_MAIN_R3: sent MR3, ISAKMP SA established
"dynshared" #6: IPCA (IPcomp SA) contains GROUP_DESCRIPTION.
Ignoring inapproprate attribute.
"dynshared" #6: responding to Quick Mode
"dynshared" #6: STATE_QUICK_R2: IPsec SA established
martian source 66.73.195.121 from 199.182.172.242, on dev ppp0
ll header: 45:00:00:60:00:66:40:00:ea:32:15:9a:c7:b6:ac:f2:42:49:c3:79:0b:31
martian source 66.73.195.121 from 199.182.172.242, on dev ppp0
ll header: 45:00:00:60:00:67:40:00:ea:32:15:99:c7:b6:ac:f2:42:49:c3:79:0b:31
martian source 66.73.195.121 from 199.182.172.242, on dev ppp0
ll header: 45:00:00:60:00:68:40:00:ea:32:15:98:c7:b6:ac:f2:42:49:c3:79:0b:31

The .121 IP was my local pppoe IP at the time and the other IP was the
remote.

--
David Efflandt - All spam ignored
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://www.nsscc.com/ - free driver school Friday nights in March

 
 
 

1. EAP-TLS IPSEC VPN/Radius senario

 Here's what I am trying to do, all Win2003 servers and problems with IPSEC/

DSL-->Firewall-->RRAS/VPN-->IAS -->Domain controller

I can PPTP no problem so ports/firewall = no problem

trying to setup EAP-TLS IPSEC ..(smartcards for clients dialing in addition
to user/pass). RRAS-->IAS Secrets ok, EAP-users have dial-in rights.. IAS is
auth in the Domain. CMAK/PBS setup  ok on client to propagate down local Pop
phone# info to clients etc.

areas I am not clear about is how to setup the Certificate Server itself  or
the Ipsec policies on the client.. is there a walkthrough or other things
you can point me to, I saw a presentation by the MS PM on IPSEC (Dixon?) on
this senario and how MS IS department does it for employee VPN with CA's on
Smartcards.. we would like to do a very similar deployment. .. I am not sure
if MS released a Case study on it's own deployment or not..

one last question .. Cisco -VS - Microsoft. VPN

  It's my understanding MS doesn't actually do encryption (I don't mean
encapsultate) on the entire IPSec tunnel (understanding that Ipsec itself
encrypts at multiple levels of the OSI model inside the encapsulated
packet ) but Cisco talks about doing DES or 3DES on the IPSEC tunnels to
like the PIX 501 VPN hardware.. I don't see MSFT offering this.. or do they
do this some other way..

in terms of Speed of throughput on IPSEC Tunnels.. would Using Win2003
actually be slower then dedicated VPN hardware  (takes more on the CPU of
the VPN server) our entire network VPN -->IAS-->DC is running on Gigabit ..
the bottleneck being T-1 internet and 10/100 Routers (due to cost of 1 &
10Gbps Routers)or simply making sure we buy NIC cards that offload IPSEC on
the NIC -vs- CPU resolve that issue.. does MS have performance numbers
avail?

any help on the CA server /Ipsec policies for the senario above would be
helpful

 thanks a bunch

2. PKZIP 3.05

3. Migrating from MSN dialup to MSN/QWest Broadband

4. Leisure Suit Larry 5 4SALE

5. My relative's problems with secure.smtp.email.msn.com from a dialup MSN account

6. Sendmail "personal name" field on SUN workstations

7. MSN Explorer kills my msn dialup

8. CISCO VPN Client to SOHO 91 router

9. Can I login to MSN without MSN dialup?

10. Accessing non-MSN POP3/SMTP server using MSN dialup

11. PGP 7 VPN and Firewall-1 VPN

12. When VPN connets then MSN Messenger Stops Responding.

13. MSN VPN