[WISPA] IPsec/UDP and my border NAT gateway

2007-01-15 Thread rabbtux rabbtux

Anyone have suggestions on what I need to do to allow my customer to
do this type of VPN.  I currently have customers behind my
linux/iptables firewall that masquerades them out a single IP.   This
is the first customer who is having problems.  Do I need a special
rule to accomodate them??

The customer is using CenterBeam VPN services, and they tell him that,
your isp is blocking VPN pass thru.   I'm not blocking anything.
help!

Thank you kindly,
marshall
--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


Re: [WISPA] San Francisco Legislative Analyst reportreleased onEarthLink Google WiFi deal - says Start Over

2007-01-15 Thread Dawn DiPietro

Peter,

I would agree with what you have to say about opinions but this was not 
opinion. It was a statement based on a misunderstanding of what was 
written in a public document about a high profile project.


Regards,
Dawn DiPietro


Peter R. wrote:


Easy there, Dawn.

Muni wireless is just one of those topics like gay marriage -- it 
fires up the constiuency.


Like everything else, every one has the right to his/her opinion 
without getting personal (or political), no matter how wrong that 
opinion may be.


- Peter


Dawn DiPietro wrote:

I would encourage you to stop making statements that are not true 
because you don't have time to read the whole report and/or don't 
fully understand what has been written.


Regards,
Dawn DiPietro





--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


RE: [WISPA] IPsec/UDP and my border NAT gateway

2007-01-15 Thread Eric Rogers
You have to create a rule to allow the GRE tunnel back to your customer
from the VPN Server IP.  Are you forwarding ALL public IP traffic to his
private IP?

I believe it is Protocol 47 or something like that.  You also need to
allow certain udp ports through but I don't remember off the top of my
head.  Do a quick google on iptables IPSec NAT and you should find
what you need.

Eric

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of rabbtux rabbtux
Sent: Monday, January 15, 2007 2:45 PM
To: WISPA General List
Subject: [WISPA] IPsec/UDP and my border NAT gateway

Anyone have suggestions on what I need to do to allow my customer to
do this type of VPN.  I currently have customers behind my
linux/iptables firewall that masquerades them out a single IP.   This
is the first customer who is having problems.  Do I need a special
rule to accomodate them??

The customer is using CenterBeam VPN services, and they tell him that,
your isp is blocking VPN pass thru.   I'm not blocking anything.
help!

Thank you kindly,
marshall
-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/
--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


Re: [WISPA] IPsec/UDP and my border NAT gateway

2007-01-15 Thread Butch Evans

On Mon, 15 Jan 2007, rabbtux rabbtux wrote:

Anyone have suggestions on what I need to do to allow my customer 
to do this type of VPN.  I currently have customers behind my 
linux/iptables firewall that masquerades them out a single IP. 
This is the first customer who is having problems.  Do I need a 
special rule to accomodate them??


Not a special rule, but there are 2 things that have to be correct 
for this to work.


1. Your NAT device has to be able to handle IPSEC passthrough
2. Your customer's VPN client has to handle IPSEC passthrough.

The customer is using CenterBeam VPN services, and they tell him 
that, your isp is blocking VPN pass thru.  I'm not blocking 
anything. help!


Your customer's tech support center is too stupid to tell him what 
the problem would be.  Look here for some information on configuring 
IPSEC passthrough on Linux iptables:

http://www.linux.org/docs/ldp/howto/VPN-Masquerade-HOWTO.html


--
Butch Evans
Network Engineering and Security Consulting
573-276-2879
http://www.butchevans.com/
My calendar: http://tinyurl.com/y24ad6
Training Partners: http://tinyurl.com/smfkf
Mikrotik Certified Consultant
http://www.mikrotik.com/consultants.html
--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


RE: [WISPA] SF Earthlink study

2007-01-15 Thread Ralph
Kimo- please explain what Webnetic is.


Numbering my responses to Kimo's questions:


1. Right now, a handful of cities (I think they are the 3 Metro-Fi cities in
Silicon Valley, plus Mtn View) are getting 1Mb. This is totally dependent of
the depth of the pockets of Metro-Fi's backers and on the advertising
revenues.  Ever play with a puppy in a pet store? They are so cute, you just
have to take it home.  If the business model doesn't pay out i.e.: They
don't get enough paying subscribers or they don't get the revenue from the
ads, then you will see it change. Not saying that was Metricom's demise, but
they had few users and any Metro network takes gobs of money to build out.
I've seen it first hand... With this model and with the equipment that will
be used in SF. It ain't free and it ain't cheap!

2. So Seattle will have it in 10 years.  By then, there will be something
bigger and better. Will the SF residents have to wait 10 years too?  Not
something I'd be willing to do- especially when I was faced with a proposal
from someone who will do it for free and assume all the risk.  What has SF
got to lose?

3.  Milpitas, CA.  No tall residential buildings (but some are under
construction.  A 24-30 ft high access point with the relatively low gain of
the Tropos antennas will have a good amount of upward radiation.  It isn't
that much better of an antenna than a dipole would be.  It certainly has
little, if any, directional abilities.  It may not go up into a 30 story
hotel or apartment house, but how many residence in SF are in those?  That
can easily be the 5 or 10 % allowed not to be covered.  Most of my friends
in SF live in 2-4 story abodes.  According to the web page, the CPE is given
with a paid connection anyway, so there's no-one not getting one except for
the people taking the freebie.  Even if I chose to live in a place that
required use of a CPE, it is no different than buying an XM receiver to
listen to XM, or buying a transistor radio or boom box to listen to free
radio.

I really don't see what the whole hoo-ha is about. A company is willing to
build this out, for no taxpayer cost- giving away free service that is 6
times faster than dial up.  If I lived there and had nothing (or still had
dialup) I would jump on it in a heartbeat.   Imagine for a moment that EL
was to walk away.  The city (which will admittedly be one of the hardest in
the World to cover) will have no immediate service to compete with cable and
phone, much less a free service.

It all sounds like a lobby from the telcos and cablecos to me. It is a
tempest in a teapot.  
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Kimo Crossman
Sent: Monday, January 15, 2007 1:17 PM
To: wireless@wispa.org; [EMAIL PROTECTED]
Subject: [WISPA] SF Earthlink study

From: Ralph [EMAIL PROTECTED]

It is. SF has no financial investment at all. They just get a free 
ubiquitous network covering their city, like many other cities already
have.
As far as the 300k free tier goes, 300 k is fine if you had nothing. 
What do they think, that the dial up people had free dialup already?

Other cities are getting 1000kbps free - why not SF?

Fiber to the prem?  Ha. In all of SF? Not in my lifetime.

Seattle is planning fiber to the home by 2015

The stuff in there about the $80-200.00 CPE is just bogus. Someone has 
fed the authors of that report a line of bull! If the contract with the 
City
says building penetration, then that's what EL has to do. Talking 
about CPEs
is putting the cart before the horse a bit. My experience with another 
town they did has been that there is penetration to 95% of that city's 
streets, and a good bit inside the homes.

What town?  Does that town have a lot of tall multiresidential dwellings?
I think the issue with CPE is both building penetration in all floors as
well as the ability of the computer to send back the response. Even
EarthLink in the contract agrees that CPE will probably be needed indoors.


-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


RE: [WISPA] San Francisco Legislative Analyst report releasedonEarthLink Google WiFi deal - says Start Over

2007-01-15 Thread Ralph
Where do they guarantee anon usage?  I have used both Sunnyvale and Santa
Clara and had to sign up to use it.
No one is going to allow anon usage! Too many things can happen when users
do bad things.
If you were in this business, you would understand. 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Kimo Crossman
Sent: Monday, January 15, 2007 12:16 AM
To: 'Marlon K. Schafer'; 'WISPA General List'
Subject: RE: [WISPA] San Francisco Legislative Analyst report
releasedonEarthLink Google WiFi deal - says Start Over

Yes EarthLink and Google are paying for it, but now as the city looks at the
deal compared with what other cities are getting and their direction,
questions arise

MetroFi is giving 1mb speed free to all and anonymous usage is guaranteed
Seattle has embraced Fiber first and only targeted wifi 

-Original Message-
From: Marlon K. Schafer [mailto:[EMAIL PROTECTED]
Sent: 2007 January 14 20:39
To: [EMAIL PROTECTED]; WISPA General List
Subject: Re: [WISPA] San Francisco Legislative Analyst report released
onEarthLink Google WiFi deal - says Start Over

Whoa, hold the phone there Haus.

I thought that the deal was bought and paid for by EL not Frisco!

- Original Message -
From: Kimo Crossman [EMAIL PROTECTED]
To: wireless@wispa.org
Sent: Saturday, January 13, 2007 2:08 PM
Subject: [WISPA] San Francisco Legislative Analyst report released
onEarthLink Google WiFi deal - says Start Over




See PDF
http://www.sfgov.org/site/uploadedfiles/budanalyst/Reports/WiFi/MunicipalWiF
iReport_011107.pdf

Or
http://tinyurl.com/yhysne

--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/ 


--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/

-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


RE: [WISPA] IPsec/UDP and my border NAT gateway

2007-01-15 Thread Frank

A Standard Ipsec VPN will use GRE, protocol 47:
http://www.iana.org/assignments/protocol-numbers

It's not UDP.

It appears that CenterBeam VPN uses Cisco gear:
http://newsroom.cisco.com/dlls/prod_121201.html

If this is the case, then they should be able to encapsulate this into UDP
or IP and this should allow the client inside your network to connect. You
may need to verify that your iptables rules are allowing any UDP traffic.

The Cisco PIX firewalls and their VPN hardware support this type of
encapsulation expressly for the purpose of passing through NAT gateways.

If the VPN client is not configured for UDP or TCP then there is likely
nothing you can do since GRE and NAT are not always friendly to each other.
Verify that the Cisco Software VPN client on your customer's PC is set to
encapsulate (tunnel) within UDP.

You may need some diagnostic tools like a sniffer (ethereal.com) or use
tcpdump within your Linux firewall. Also, logging dropped packets in your
iptables firewall may also be of assistance.


Thank you

Frank Keeney
Pasadena Networks, LLC
Antennas, Cables and Equipment:
http://www.wlanparts.com 


 

 -Original Message-
 From: rabbtux rabbtux
 
 Anyone have suggestions on what I need to do to allow my customer to
 do this type of VPN.  I currently have customers behind my
 linux/iptables firewall that masquerades them out a single IP.   This
 is the first customer who is having problems.  Do I need a special
 rule to accomodate them??
 
 The customer is using CenterBeam VPN services, and they tell him that,
 your isp is blocking VPN pass thru.   I'm not blocking anything.
 help!
 
 Thank you kindly,
 marshall

-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


RE: [WISPA] San Francisco Legislative Analyst report releasedonEarthLink Google WiFi deal - says Start Over

2007-01-15 Thread Kimo Crossman
Ok to Clarify, here is what EPIC says about MetroFi's Privacy policy:

MetroFi proposes an advertising-supported service with a 1 Mbps connection, or 
the same connection without advertisements for $20 a month.

As with many companies operating under self-regulatory privacy norms, MetroFi's 
privacy statement is contradictory.  It claims only to gather anonymous 
information for the free service, but later on the same page, the company 
states that its free service collects email addresses and demographic 
information through surfing behavior and questionnaires.  Email addresses are 
identifiable, personal information.  Furthermore, aggregate surfing behavior 
and questionnaire information can be used to identify individuals.
http://www.epic.org/privacy/internet/sfan4306.html


Wondering if you had any other thoughts on the Analyst report?


-Original Message-
From: Ralph [mailto:[EMAIL PROTECTED] 
Sent: 2007 January 15 15:01
To: [EMAIL PROTECTED]; 'WISPA General List'
Subject: RE: [WISPA] San Francisco Legislative Analyst report 
releasedonEarthLink Google WiFi deal - says Start Over

Where do they guarantee anon usage?  I have used both Sunnyvale and Santa Clara 
and had to sign up to use it.
No one is going to allow anon usage! Too many things can happen when users do 
bad things.
If you were in this business, you would understand. 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kimo Crossman
Sent: Monday, January 15, 2007 12:16 AM
To: 'Marlon K. Schafer'; 'WISPA General List'
Subject: RE: [WISPA] San Francisco Legislative Analyst report 
releasedonEarthLink Google WiFi deal - says Start Over

Yes EarthLink and Google are paying for it, but now as the city looks at the 
deal compared with what other cities are getting and their direction, questions 
arise

MetroFi is giving 1mb speed free to all and anonymous usage is guaranteed 
Seattle has embraced Fiber first and only targeted wifi 

-Original Message-
From: Marlon K. Schafer [mailto:[EMAIL PROTECTED]
Sent: 2007 January 14 20:39
To: [EMAIL PROTECTED]; WISPA General List
Subject: Re: [WISPA] San Francisco Legislative Analyst report released 
onEarthLink Google WiFi deal - says Start Over

Whoa, hold the phone there Haus.

I thought that the deal was bought and paid for by EL not Frisco!

- Original Message -
From: Kimo Crossman [EMAIL PROTECTED]
To: wireless@wispa.org
Sent: Saturday, January 13, 2007 2:08 PM
Subject: [WISPA] San Francisco Legislative Analyst report released onEarthLink 
Google WiFi deal - says Start Over




See PDF
http://www.sfgov.org/site/uploadedfiles/budanalyst/Reports/WiFi/MunicipalWiF
iReport_011107.pdf

Or
http://tinyurl.com/yhysne

--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/ 


--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


RE: [WISPA] IPsec/UDP and my border NAT gateway

2007-01-15 Thread Dennis Burgess - 2K Wireless
In case someone ddi'ent say, if they are using CISCO IPSEC, etc, what happen
is this.

1.  Client requests via TCP to start a VPN session
2. Server sends back UDP packets to start the session
3.  NAT/MASQ blocks these un-authed UDP packets.

The two anaswers are.

1. Tell the customer to change their CISCO VPN client to TCP, works just as
good.
2. Have the customer pay for a business account and a static IP.

Those are my options for these customers, I have a number of them.

Denni


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of rabbtux rabbtux
Sent: Monday, January 15, 2007 1:45 PM
To: WISPA General List
Subject: [WISPA] IPsec/UDP and my border NAT gateway

Anyone have suggestions on what I need to do to allow my customer to
do this type of VPN.  I currently have customers behind my
linux/iptables firewall that masquerades them out a single IP.   This
is the first customer who is having problems.  Do I need a special
rule to accomodate them??

The customer is using CenterBeam VPN services, and they tell him that,
your isp is blocking VPN pass thru.   I'm not blocking anything.
help!

Thank you kindly,
marshall
-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/



-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


RE: [WISPA] IPsec/UDP and my border NAT gateway

2007-01-15 Thread Dennis Burgess - 2K Wireless
IPSEC uses the GRE, but also traverse UDP.  CISCO VPN clints do use UDP,
they use GRE to do the establishment sometimes as well.The Cisco VPN
client is a pain, regardless, but there is a option for TCP connectivity.

Dennis


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Frank
Sent: Monday, January 15, 2007 5:05 PM
To: 'WISPA General List'
Subject: RE: [WISPA] IPsec/UDP and my border NAT gateway


A Standard Ipsec VPN will use GRE, protocol 47:
http://www.iana.org/assignments/protocol-numbers

It's not UDP.

It appears that CenterBeam VPN uses Cisco gear:
http://newsroom.cisco.com/dlls/prod_121201.html

If this is the case, then they should be able to encapsulate this into UDP
or IP and this should allow the client inside your network to connect. You
may need to verify that your iptables rules are allowing any UDP traffic.

The Cisco PIX firewalls and their VPN hardware support this type of
encapsulation expressly for the purpose of passing through NAT gateways.

If the VPN client is not configured for UDP or TCP then there is likely
nothing you can do since GRE and NAT are not always friendly to each other.
Verify that the Cisco Software VPN client on your customer's PC is set to
encapsulate (tunnel) within UDP.

You may need some diagnostic tools like a sniffer (ethereal.com) or use
tcpdump within your Linux firewall. Also, logging dropped packets in your
iptables firewall may also be of assistance.


Thank you

Frank Keeney
Pasadena Networks, LLC
Antennas, Cables and Equipment:
http://www.wlanparts.com 


 

 -Original Message-
 From: rabbtux rabbtux
 
 Anyone have suggestions on what I need to do to allow my customer to
 do this type of VPN.  I currently have customers behind my
 linux/iptables firewall that masquerades them out a single IP.   This
 is the first customer who is having problems.  Do I need a special
 rule to accomodate them??
 
 The customer is using CenterBeam VPN services, and they tell him that,
 your isp is blocking VPN pass thru.   I'm not blocking anything.
 help!
 
 Thank you kindly,
 marshall

-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


RE: [WISPA] IPsec/UDP and my border NAT gateway

2007-01-15 Thread Frank
I seem to remember specifically allowing this UDP years ago when I used
iptables, ipfwm and ipchains.

Once these rules were in place, the Cisco VPN (encapsulated inside UDP)
worked fine.

Frank


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Dennis 
 Burgess - 2K Wireless
 Sent: Monday, January 15, 2007 4:36 PM
 To: 'WISPA General List'
 Subject: RE: [WISPA] IPsec/UDP and my border NAT gateway
 
 In case someone ddi'ent say, if they are using CISCO IPSEC, 
 etc, what happen
 is this.
 
 1.  Client requests via TCP to start a VPN session
 2. Server sends back UDP packets to start the session
 3.  NAT/MASQ blocks these un-authed UDP packets.
 
 The two anaswers are.
 
 1. Tell the customer to change their CISCO VPN client to TCP, 
 works just as
 good.
 2. Have the customer pay for a business account and a static IP.
 
 Those are my options for these customers, I have a number of them.
 
 Denni
 
 
 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On
 Behalf Of rabbtux rabbtux
 Sent: Monday, January 15, 2007 1:45 PM
 To: WISPA General List
 Subject: [WISPA] IPsec/UDP and my border NAT gateway
 
 Anyone have suggestions on what I need to do to allow my customer to
 do this type of VPN.  I currently have customers behind my
 linux/iptables firewall that masquerades them out a single IP.   This
 is the first customer who is having problems.  Do I need a special
 rule to accomodate them??
 
 The customer is using CenterBeam VPN services, and they tell him that,
 your isp is blocking VPN pass thru.   I'm not blocking anything.
 help!
 
 Thank you kindly,
 marshall
 -- 
 WISPA Wireless List: wireless@wispa.org
 
 Subscribe/Unsubscribe:
 http://lists.wispa.org/mailman/listinfo/wireless
 
 Archives: http://lists.wispa.org/pipermail/wireless/
 
 
 
 -- 
 WISPA Wireless List: wireless@wispa.org
 
 Subscribe/Unsubscribe:
 http://lists.wispa.org/mailman/listinfo/wireless
 
 Archives: http://lists.wispa.org/pipermail/wireless/
 

-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


RE: [WISPA] Looking for Trangos

2007-01-15 Thread wifi
Always love you guys.  You know where to find me.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Dennis Burgess - 2K Wireless
Sent: Monday, January 15, 2007 6:31 PM
To: 'WISPA General List'
Subject: RE: [WISPA] Looking for Trangos

She don't like us anymore. lol

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Marlon K. Schafer
Sent: Sunday, January 14, 2007 10:18 PM
To: WISPA General List
Subject: Re: [WISPA] Looking for Trangos

hey, you are back!  I was wondering where you've been hiding.

- Original Message -
From: [EMAIL PROTECTED]
To: wireless@wispa.org
Sent: Thursday, January 11, 2007 11:51 AM
Subject: [WISPA] Looking for Trangos


 Hello List.
 
 Looking for used, but working, 5830 Trango SU's
 
 
 
 Thanks.
 
 Victoria Proffer
 
 [EMAIL PROTECTED]
 
 StLBroadband.com
 
 314-974-5600
 
 
 
 
 
 -- 
 WISPA Wireless List: wireless@wispa.org
 
 Subscribe/Unsubscribe:
 http://lists.wispa.org/mailman/listinfo/wireless
 
 Archives: http://lists.wispa.org/pipermail/wireless/
-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/

-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


[WISPA] WTB: DS3 - Ethernet converters

2007-01-15 Thread Gino Villarini
Looking for Net to Net 6 port ds3 - Ethernet converters ...

Gino A. Villarini
[EMAIL PROTECTED]
Aeronet Wireless Broadband Corp.
tel  787.273.4143   fax   787.273.4145

--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


Re: [WISPA] calea

2007-01-15 Thread Forrest W. Christian

Marlon K. Schafer (509) 982-2181 wrote:




There are already standards in place on what and how to do this for 
the DSL industry, cable is working on a standard.  The conversation 
was more technical than I can recall word for word, but it sounds like 
it would be a very very good idea for us to either adopt an existing 
CALEA standard or develop one for our industry.  Anyone care to head 
up a committee on the topic??? 


Me heading up a committe right now isn't really in the cards, but I do 
want to add my $0.02


Technically this isn't really a problem.   All that is needed is for you 
to be able to run a packet sniffer in the right spot on your network.


On my core router (which happens to be Open Source based), I would just 
need to do something like :


tcpdump -i vlan23 -C 100 -w caleaoutput  host 1.2.3.4

This would produce a set of raw dump files containing the requested 
packets which could then be transfered to law enforcement.


If you have a managed switch, having a linux box plugged into a mirrored 
switchport facing the client would permit you to do this.


The hard part is how to provide this to law enforcement.   I think 
perhaps just putting these files on a SFTP or password-protected 
https:// site might be sufficient.


-forrest


--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


Re: [WISPA] IPsec/UDP and my border NAT gateway

2007-01-15 Thread rabbtux rabbtux

I have one rule that I thought would work with all NAT friendly vpns:

# Masquerade for wireless 10.10.0.0
iptables -A POSTROUTING -s 10.10.0.0/16 -o ppp0 -j MASQUERADE

So is this Centerbeam VPN not 'NAT friendly'?   I don't currently have
the option to pass routable IPs to customers :(

On 1/15/07, Frank [EMAIL PROTECTED] wrote:

I seem to remember specifically allowing this UDP years ago when I used
iptables, ipfwm and ipchains.

Once these rules were in place, the Cisco VPN (encapsulated inside UDP)
worked fine.

Frank


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dennis
 Burgess - 2K Wireless
 Sent: Monday, January 15, 2007 4:36 PM
 To: 'WISPA General List'
 Subject: RE: [WISPA] IPsec/UDP and my border NAT gateway

 In case someone ddi'ent say, if they are using CISCO IPSEC,
 etc, what happen
 is this.

 1.  Client requests via TCP to start a VPN session
 2. Server sends back UDP packets to start the session
 3.  NAT/MASQ blocks these un-authed UDP packets.

 The two anaswers are.

 1. Tell the customer to change their CISCO VPN client to TCP,
 works just as
 good.
 2. Have the customer pay for a business account and a static IP.

 Those are my options for these customers, I have a number of them.

 Denni


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On
 Behalf Of rabbtux rabbtux
 Sent: Monday, January 15, 2007 1:45 PM
 To: WISPA General List
 Subject: [WISPA] IPsec/UDP and my border NAT gateway

 Anyone have suggestions on what I need to do to allow my customer to
 do this type of VPN.  I currently have customers behind my
 linux/iptables firewall that masquerades them out a single IP.   This
 is the first customer who is having problems.  Do I need a special
 rule to accomodate them??

 The customer is using CenterBeam VPN services, and they tell him that,
 your isp is blocking VPN pass thru.   I'm not blocking anything.
 help!

 Thank you kindly,
 marshall
 --
 WISPA Wireless List: wireless@wispa.org

 Subscribe/Unsubscribe:
 http://lists.wispa.org/mailman/listinfo/wireless

 Archives: http://lists.wispa.org/pipermail/wireless/



 --
 WISPA Wireless List: wireless@wispa.org

 Subscribe/Unsubscribe:
 http://lists.wispa.org/mailman/listinfo/wireless

 Archives: http://lists.wispa.org/pipermail/wireless/


--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


Re: [WISPA] IPsec/UDP and my border NAT gateway

2007-01-15 Thread Pete Davis
My approach is a little more lazy than most firewall management people 
provide, I suspect. If a customer isn't able to function within the set 
of firewall rules that I have set for most of the customers, I add his 
IP to a whitelist list of IP addresses in my firewall. These addresses 
don't get any firewalling. If the SRC IP or DST IP is in the whitelist 
range, then the packet gets accepted.


My justification: The main purpose of the firewall is to protect the 
customer from viruses, vulnerabilities, and the like. It also 
potentially protects you from things like 'getting your IP range on a 
spam RBL', but the firewall is mainly to benefit the subscribers.


If a customer has gotten this far, he sounds like he has his own NAT 
firewall at least, and probably doesn't need your protection at the border.


Pete Davis
NoDial.net

rabbtux rabbtux wrote:

Anyone have suggestions on what I need to do to allow my customer to
do this type of VPN.  I currently have customers behind my
linux/iptables firewall that masquerades them out a single IP.   This
is the first customer who is having problems.  Do I need a special
rule to accomodate them??

The customer is using CenterBeam VPN services, and they tell him that,
your isp is blocking VPN pass thru.   I'm not blocking anything.
help!

Thank you kindly,
marshall


--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/