encrypted tunnel

Andrew van der Stock ajv "at" greebo.net
Sun, 19 Aug 2001 07:17:24 +0000


You can also use an IPsec policy if both machines are Windows 2000 or later
(but not on XP Home) or the OS supports IPsec (like NetBSD or any of those
using Kame's IPsec). I believe Linux might have a working IPsec
implementation, but the last time I looked at Free S/WAN, it had real
interoperability problems. I'd be happy to hear good success stories with
anyone doing IPsec on Linux in heterogenous environments.

I've created a VNC policy for you to import if you're using Windows 2000
(any edition) or XP (most editions, AFAIK Home edition doesn't have IPsec).

http://www.evilsecurity.com/vnc/vnc.policy (53 kb)

Download this to somewhere safe, virus scan it, and fire up MMC. Add the
IPsec Policy snapin, and import the policy. Play around with it and REPLACE
THE PRESHARED SECRET! Do not assign the policy until you've checked
everything out and made sure that you're happy with the settings I've
chosen. I suggest using Active Directory or a certificate for the
authentication seed rather than putting up with the preshared secret (which
is visible to any user with enough privileges to see this snapin).

I suggest practice is in order until you have it down pat. If you're like
2000 km away from the other host, don't do this until you're sure that this
works for you. Assign the policy ON THE SERVER FIRST. If you were using VNC
at this point, it will terminate. Reconnect once you have assigned the
client's IPsec VNC policy.

Tips for advanced players:

I remove the other auth schemes (see my "Secure Permit" filter action), like
DES and MD5, as DES is too weak, and MD5 is marginally less secure than
SHA1. Session perfect forward secrecy is good, and you should use it (as
this policy does). Get all keys to be regenerated after one hour (3600
seconds) or a certain number of kilobytes. The key regen takes a second or
so (depends on the speed of your machine; if the other end is a Cisco or
similar, expect five-ten seconds as they have primitive and slow
processors). Going the extra few steps makes really advanced key attacks
much harder, but the only point of doing this is if you're using strong auth
(ie NOT preshared secrets).

Andrew

----- Original Message -----
From: "Michael F. March" <march "at" indirect.com>
To: <vnc-list "at" uk.research.att.com>
Sent: Saturday, August 18, 2001 6:25 AM
Subject: Re: encrypted tunnel


> Openssh on Cygwin works in 98, 98se, ME, etc too.
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------