Firewall Wizards mailing list archives

RE: Sanity Check - Raptor-to-Cisco VPN plan

From: "John Burgess" <john.burgess () fastex net>
Date: Thu, 9 Mar 2000 18:24:59 -0600

I'm not exactly sure what the failure was.
Both firewalls acted like everything was OK
(no error messages). My pings
never got to "them" and traceroutes would give the more
than 20 hops message, get thru  several routers
and then time out. I could see them pinging me
on the outside interface of my firewall though,
but I really couldn't say if they were getting
to my firewall via the vpn or just going around it.
When I ran trace routes from outside to "them" I got 
a different set of routers in the trace route so
it was hard to tell what was going on.

On the bright side, my lobbying for a plain and
simple additional frame circuit seems to have paid
off today.  CIO said he was tired of "fooling around"
and I might as well go ahead and start building a new
frame relay WAN to bring all the new properties on board 
(We _hate_ our current WAN vendor with whom I have about 25
circuits so far)

-----Original Message-----
From: Ryan Russell [mailto:ryan () securityfocus com]
Sent: Thursday, March 09, 2000 12:45 PM
To: John Burgess
Cc: firewall-wizards () nfr net
Subject: Re: Sanity Check - Raptor-to-Cisco VPN plan


On Tue, 7 Mar 2000, John Burgess wrote:

Internet circuits ( "us" has point-to-point to C&W;
"them" has frame-relay to local ISP).  "us" has a NT
Raptor firewall, "them" has a Watchguard Firebox. 
Tried to setup a VPN between firewalls and although
Raptor tech support was willing to help, Watchguard
tech support refused to even log a call since it
involved Raptor.    Several attempts to create a VPN
between the two firewall's failed.  Internet searches
revealed lot's of 'should be possible' hits, but no
real meat.  Gave up on this angle.


Failed how?  My personal experience has been that some ISPs (either yours,
or one in-between) will block some kinds of traffic.  This can result in
things like IPSec or GRE just not arriving.  I ask how it broke because
if you're having that problem, then you're likely to be frustrated by a
wide variety of VPN types.  Just to make things fun, the occasional
topology change will cause your VPN traffic to cross an ISP that blocks,
so you may have intermittent failures.  Joy.

                                        Ryan

(On my list of things to do in my copious spare time is modify a version
of traceroute to use an arbitrary IP type.  I'm pretty sure I could use
such a tool to tell which router is blocking which traffic type.)

Current thread:

Sanity Check - Raptor-to-Cisco VPN plan John Burgess (Mar 08)
- Re: Sanity Check - Raptor-to-Cisco VPN plan Ryan Russell (Mar 13)
  - RE: Sanity Check - Raptor-to-Cisco VPN plan John Burgess (Mar 13)