This is a multi-part message in MIME format.

--===============0949367459==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C7F56E.41BC377D"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C7F56E.41BC377D
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Robby,
=20
Thanks for the reply. We're using the Cisco software and using Cisco
5520ASAs to terminate the VPN. I've tried configuring the vpn profile to
use TCP over port 10000 and that too fails. I'm going to try lowering
the MTU on the public interface of an ASA to see if that helps.
=20
Thanks,
=20
simon

________________________________

From: firewall-wizards-bounces@listserv.cybertrust.com
[mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of
Robby Cauwerts
Sent: Wednesday, September 12, 2007 3:06 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] VPN Issue with Certs and fragmentation


On 9/11/07, Bell Simon (RBNA/CIT1.12) wrote:=20

We occasionally have customers call in reporting that they're
never
prompted for credentials when attempting to connect to the VPN.
This
happens most often when they're at a hotel/public hotspot.
However, if=20
they use a profile based on a preshared key instead of a cert
authentication, they connection works w/o issue. I've captured
traffic
off a failed user and it looks like during a cert auth IPSec
tunnel
there's a fair amount of packet fragmentation.=20
=09



The fragmentation can be solved by using IKE over tcp.
What type of vpn (vendor) are you using?

Br.
Robby





------_=_NextPart_001_01C7F56E.41BC377D
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable



charset=3Dus-ascii">


face=3DArial=20
color=3D#0000ff size=3D2>Robby,

face=3DArial=20
color=3D#0000ff size=3D2>
 

face=3DArial=20
color=3D#0000ff size=3D2>Thanks for the reply. We're using the Cisco =
software and=20
using Cisco 5520ASAs to terminate the VPN. I've tried configuring =
the vpn=20
profile to use TCP over port 10000 and that too fails. I'm going to=20
try lowering the MTU on the public interface of an ASA to see if =
that=20
helps.

face=3DArial=20
color=3D#0000ff size=3D2>
 

face=3DArial=20
color=3D#0000ff size=3D2>Thanks,

face=3DArial=20
color=3D#0000ff size=3D2>
 

face=3DArial=20
color=3D#0000ff size=3D2>simon





From:=20
firewall-wizards-bounces@listserv.cybertrust.com=20
[mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf =
Of=20
Robby Cauwerts
Sent: Wednesday, September 12, 2007 3:06=20
AM
To: Firewall Wizards Security Mailing =
List
Subject: Re:=20
[fw-wiz] VPN Issue with Certs and fragmentation


On 9/11/07, Bell Simon =
(RBNA/CIT1.12)
=20
< href=3D"mailto:Simon.Bell@us.bosch.com">Simon.Bell@us.bosch.com>=20
wrote:

style=3D"PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: =
rgb(204,204,204) 1px solid">We=20
occasionally have customers call in reporting that they're =
never
prompted=20
for credentials when attempting to connect to the VPN. This
happens =
most=20
often when they're at a hotel/public hotspot. However, if
they use =
a=20
profile based on a preshared key instead of a cert
authentication, =
they=20
connection works w/o issue. I've captured traffic
off a failed user =
and it=20
looks like during a cert auth IPSec tunnel
there's a fair amount of =
packet=20
fragmentation.



The fragmentation can be solved by using IKE over =
tcp.
What type=20
of vpn (vendor) are you=20
using?

Br.
Robby





------_=_NextPart_001_01C7F56E.41BC377D--

--===============0949367459==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

--===============0949367459==--