From: stephen_hope@xx.ntlworld.com
"John Lewis" wrote in message
news:FusIb.105239$031.19240@fe3.columbus.rr.com...
> The original question was "Can a third party router (a router in the
middle
> of your tunnel, or remote
> user ISP router - outside of your control) be configured to block ports
> within a VPN tunnel?"
>
> The ans
> "icc" wrote in message
> news:KPGdnbimt7hkz3KiRVn-iQ@speedfactory.net...
> > "Either the tunnel is there or it isn't. No middle ground".
> > Actually John thats not entirely true.
>
> And that is a proper answer to the question.
>
> > If both subnets are the same PPTP will auth and bring up the tunnel but
no
> > traffic will pass.
> > More than likely thats what he getting.
>
> Possible, but not enough information to tell.
>
> >
> > If both are 10.0.1.1 then this is what happens. Most of us have seen
this
> > and always change our internal NAT to something
> > you just don't see on avg router deployment. For example his VPN svr
> could
> > be 10.0.23.1 or what have you.
>
> The bigger problem is the way MS DUN determines routes to be added. The
> proper thing to do would be use a RFC1918 private address appropriate to
the
> size of the private network (192.168.23.1 or what have you for a class C),
> choosing at random as you infer.
Actually - this is a valid use for unique assigned address space - you can
get a block of IP address space for private use where the addresses must not
conflict with RFC1918 private space
i was involved in a travel extranet where this was used to minimise address
conflicts.
it doesnt remove them as all sorts of wierd addresses are in use on internal
network where they shouldnt be, but at least it means the argument "this is
my assigned space - change yours" can be used.
>
>
> >
> >
> > ICC
> >
> > "John Lewis" wrote in message
> > news:CCvHb.36246$ms2.5178@fe2.columbus.rr.com...
> > > A third party router can't block ports on the tunnel. Either the
tunnel
> > is
> > > there or it isn't. No middle ground.
> > >
> > > What you are seeing is a routing issue.
> > >
> > > A VPN connection is a tunnel with two endpoints, and is not part of
any
> > > network. Even though the addresses assigned to the tunnel fall within
> the
> > > range of your network, you will note if you do an 'ipconfig' at a
> command
> > > prompt that the mask is set to 255.255.255.255.
> > >
> > > The MS DUN/VPN client tries to take care of this by adding a route to
> the
> > > remote network on the client machine. The details of the server side
> > > network are not available to the client, so the client must assume a
> > netmask
> > > for the route. The MS client follows RFC 1918, so your 10.xx.xx.xx
> > network
> > > is assumed to have a mask of 255.0.0.0. This means the local network
> (in
> > > this case the hotel) network address is the same as the server network
> > > address, so a route is not added.
> > >
> > > If the network addresses are really different -- the mask on both
sides
> is
> > > not 255.0.0.0 -- you could manually add a route on the client to the
> > server
> > > side network. You could also use CMAK to make a connectiod and
cmroute
> to
> > > add the route to automate the whole deal.
> > >
> > >
> > >
> > > "Ran Hooper" wrote in message
> > > news:28928720.0312272207.4386b3e7@posting.google.com...
> > > > Can a third party router (a router in the middle of your tunnel, or
> > remote
> > > > user ISP router - outside of your control) be configured to block
> ports
> > > > within a VPN tunnel?
> > > >
> > > > Scenario:
> > > > Client has an application that pulls files off of a Windows server.
We
> > > just
> > > > have the remote users PPTP VPN (Using XP) in to the router, and
> > everything
> > > > works fine. This past holiday the client was travelling and ordered
> some
> > > > kind of $9.99 per day broadband service at his hotel. He could
> establish
> > > the
> > > > VPN connection but the application or authenticatation didn't work.
He
> > > > couldn't even ping the server.
> > > >
> > > > Things to consider:
> > > > His private side ip setup is 10.0.1.x
> > > > The hotel used 10.0.x.x
> > > >
> > > > Should this matter? He's trying to find a server at 10.0.1.x. It did
> > seem
> > > > like everything was trying to go out the hotel router when I had him
> do
> > a
> > > > tracert. I use 10.1.x.x at my shop and have no issues at all
> connecting
> > to
> > > > 10.0.0.x or 10.0.x.x etc. Wierd!
> > > >
> > > > He tracked down the Hotel IT and they claimed they weren't running a
> > > > firewall (yet they are issuing 10.0.x.x ip's). Idiots! They also
> stated
> > > > that outside contractors set it up.
> > > >
> > > > Of course I didn't get on the machine nor did he have enough
patience
> to
> > > try
> > > > multiple things on the phone. I did try telneting into port 135 on
the
> > > > server and no dice so I assumed something was filtering the ports.
> Then
> > it
> > > > occurred to me that nothing should interfere in the tunnel thus my
> first
> > > > question. Does the third party router even realize what ports you
are
> > > using?
> > > > Is IPSEC handled differently than PPTP with regards to ports issues
> like
> > > > this appears to be?
> > > >
> > > > I know I can setup the router to filter the tunnel, but it's not
> > filtered.
> > > >
> > > > Thanks,
> > > > Ran Hooper
> > > > ran@qnet.com
--
Regards
Stephen Hope - remove xx from email to reply
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
