New Zealand ADSL Mailing List


RE: M10 and tunnels

From: rob.edkins_at_axon.co.nz
Date: Wed, 15 Mar 2000 12:33:46 +1300
Message-ID: <42CCA0F98530D111A77900805F0D52B301738A3E@ax-akl-exchange.axon.co.nz>

IPSec needs IP type 50 for ESP encapsulation, or IP type 51 for AH (non
encapsulated).
For IPSec to work on our little Nokia's, from a private internal network at
one end, to an internal network at the other, we will need to encapsulate
using ESP.

Hence we will need a version of the firmware that allows us to pinhole IP
type 50.

I believe that 5.3.0 R2 will allow this, but this may not be the end of the
matter.

As others have pointed out, as part of guaranteeing payload integrity, IPSec
does a SHA1 or MD5 checksum on the encrypted packet. if NAT rewrites the IP
header, then IPSec may spit the dummy at the far end ('cos the checksum
doesn't match).

I guess we won't know until we try.

There may also be subtle differences between a client-server VPN connection
and a Server-Server connection.

MS PPTP does also encapsulate payload, and does an MD4 hash for a checksum.
This seems to work allright through a pinhole, so I guess there's hope for
IPSec.

IP over IP encapsulation uses IP type 94 (or thereabouts) from memory, so
the same problems apply.

See RFC 1700 - Assigned Numbers for a list of all packet types and
well-known ports.

(While you're at it, take a look at RFC 2324 - The Coffee Pot Control
Protocol. Now that's what I call a GOOD use of e-stuff!)

Incidentally, the Nokia site DOES have mention of the M10, you just have to
hunt a bit for the DSL stuff.

I believe the M11 supports the G.Lite ADSL standard which may have been what
Mark Barlow was referring to when he mentioned being able to buy ADSL gear
at Dick Smith soon. Supposedly no expert config needed.

Rob

> -----Original Message-----
> From: Steve [mailto:steve@focb.iconz.co.nz]
> Sent: Wednesday, 15 March 2000 11:54
> To: adsl@freebsddiary.cx
> Subject: RE: M10 and tunnels
>
>
> nope, the port 1723 is used by *MS PPTP) as a control
> connection and is
> TCP based, if you wish to have a PPTP _server_ behind the M10 you will
> need to pinhole PPTP (i just used all ports in the range of
> 1-65535) and
> then also setup a TCP pinhole from incoming port 1723 through
> to the same
> server you set the PPTP pinhole to with an internal port of 1723
>
> the IP protocol 47 (or PPTP pinhole protocol) is not port based so the
> port really shouldnt matter.
>
> dont confuse the data pinhole with the control pinhole
> however, they are
> two different things and you need both if you are running a
> PPTP server.
>
> --
> Steve.
>
> On Wed, 15 Mar 2000 hubert.kraemer@prismac.co.nz wrote:
>
> > Doesn't MS PPTP use GRE packets on Port 1723 ? I thought
> the doco indicated
> > that it does (hence my confusion)...
> >
> > -----Original Message-----
> > From: Steve [mailto:steve@focb.iconz.co.nz]
> > Sent: Wednesday, 15 March 2000 10:37
> > To: adsl@freebsddiary.cx
> > Subject: RE: M10 and tunnels
> >
> >
> >
> >
> > On Wed, 15 Mar 2000 hubert.kraemer@prismac.co.nz wrote:
> >
> > > Don't quite understand....what does the pinhole option of
> PPTP provide ?
> > >
> >
> > the PPTP pinhole allows one to proxy IP Protocol 47, this
> is used as the
> > transport for a few of the various tunneling
> programs/clients available,
> > its listed as "PPTP" because thats what the M$ PPTP (Point to point
> > tunneling protocol) "adaptor" that you can install on your
> win9x/NT system
> > calls itself. what I am useing it for however is for the
> GRE tunneling
> > that a cisco/other router device can use to establish a
> tunnel, tunnels
> > are usefull for connecting a remote site and makeing it
> seem like it is a
> > part of a local network (this is known as a VPN - or Virtual Private
> > Network)
> >
> > the newer nokia firmware which is under beta at the moment
> allows you to
> > setup pinholes for aditional IP protocols (there are up to
> 255 reserved
> > numbers for the different IP protocols, you may be familiar with the
> > common names such as UDP, TCP and ICMP but there are
> others) this allows
> > people to do other funky stuff over their ADSL boxes such
> as IPsec (like
> > an encrypted way of creating a VPN type thingy) and other
> such beasties
> >
> > most people will never need to know what this all means but
> some will
> > probably be useing it when they have remote offices that
> get connected
> > together across the internet.
> >
> > this was a very cut down version of what all this means :)
> if you do a web
> > search for stuff like "VPN" or "IP Tunnel" or "IPsec" you
> will probably
> > find some whitepapers on the subject that give a much
> better description
> >
> > in short, the PPTP option allws people to provide VPN type
> access to their
> > internal network :)
> >
> > --
> > Steve.
> >
> >
> >
> > To unsubscribe: send mail to majordomo@freebsddiary.cx
> > with "unsubscribe adsl" in the body of the message
> >
> > To unsubscribe: send mail to majordomo@freebsddiary.cx
> > with "unsubscribe adsl" in the body of the message
> >
>
>
> To unsubscribe: send mail to majordomo@freebsddiary.cx
> with "unsubscribe adsl" in the body of the message
>

To unsubscribe: send mail to majordomo@freebsddiary.cx
with "unsubscribe adsl" in the body of the message
Received on Wed Mar 15 12:34:45 2000


This archive was generated by hypermail 2.2.0 : Thu Nov 30 11:48:03 2006 EST